[GIT PULL] integrity subsystem updates for v5.11

From: Mimi Zohar
Date: Tue Dec 15 2020 - 07:46:39 EST


Hi Linus,

Included in this pull request are just 3 patches. Other integrity
changes are being upstreamed via EFI (defines a common EFI secure and
trusted boot IMA policy) and BPF LSM (exporting the IMA file cache hash
info based on inode).

The 3 patches included in this pull request:
- bug fix: fail calculating the file hash, when a file not opened for
read and the attempt to re-open it for read fails.
- defer processing the "ima_appraise" boot command line option to avoid
enabling different modes (e.g. fix, log) to when the secure boot flag
is available on arm.
- defines "ima-buf" as the default IMA buffer measurement template in
preparation for the builtin integrity "critical data" policy.

thanks,

Mimi


The following changes since commit 3cea11cd5e3b00d91caf0b4730194039b45c5891:

Linux 5.10-rc2 (2020-11-01 14:43:51 -0800)

are available in the Git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.11

for you to fetch changes up to 207cdd565dfc95a0a5185263a567817b7ebf5467:

ima: Don't modify file descriptor mode on the fly (2020-11-29 07:02:53 -0500)

----------------------------------------------------------------
integrity-v5.11

----------------------------------------------------------------
Ard Biesheuvel (1):
ima: defer arch_ima_get_secureboot() call to IMA init time

Lakshmi Ramasubramanian (1):
ima: select ima-buf template for buffer measurement

Roberto Sassu (1):
ima: Don't modify file descriptor mode on the fly

include/linux/ima.h | 6 ++++++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_appraise.c | 17 +++++++++++------
security/integrity/ima/ima_crypto.c | 20 +++++---------------
security/integrity/ima/ima_main.c | 25 ++++++++++---------------
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/ima/ima_template.c | 26 ++++++++++++++++++++++++++
7 files changed, 60 insertions(+), 37 deletions(-)