[GIT PULL] lsm/lsm-pr-20240312

From: Paul Moore
Date: Tue Mar 12 2024 - 19:20:21 EST

Next message: Nuno Das Neves: "[PATCH] hyperv-tlfs: Rename some HV_REGISTER_* defines for consistency"
Previous message: Paul Moore: "[GIT PULL] selinux/selinux-pr-20240312"
Next in thread: pr-tracker-bot: "Re: [GIT PULL] lsm/lsm-pr-20240312"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Linus,

There are a number of LSM patches for the Linux v6.9 merge window,
the highlights are shown below. As a heads-up, someone just flagged
a problem with the LSM syscalls earlier today, so expect another pull
request within a few days once we've had a chance to develop/review/test
the fix.

- Promote IMA/EVM to a proper LSM

This is the bulk of the diffstat in the pull request, and the source
of all the changes in the VFS code. Prior to the start of the LSM
stacking work it was important that IMA/EVM were separate from the
rest of the LSMs, complete with their own hooks, infrastructure, etc.
as it was the only way to enable IMA/EVM at the same time as a LSM.
However, now that the bulk of the LSM infrastructure supports multiple
simultaneous LSMs, we can simplify things greatly by bringing IMA/EVM
into the LSM infrastructure as proper LSMs. This is something I've
wanted to see happen for quite some time and Roberto was kind enough
to put in the work to make it happen.

- Use the LSM hook default values to simplify the call_int_hook() macro

Previously the call_int_hook() macro required callers to supply a
default return value, despite a default value being specified when
the LSM hook was defined. This pull request simplifies the macro
by using the defined default return value which makes life easier
for callers and should also reduce the number of return value bugs
in the future (we've had a few pop up recently, hence this work).

- Use the KMEM_CACHE() macro instead of kmem_cache_create()

The guidance appears to be to use the KMEM_CACHE() macro when possible
and there is no reason why we can't use the macro, so let's use it.

- Fix a number of comment typos in the LSM hook comment blocks

Not much to say here, we fixed some questionable grammar decisions in
the LSM hook comment blocks.

Please merge when you have the chance,
-Paul

--
The following changes since commit 54be6c6c5ae8e0d93a6c4641cb7528eb0b6ba478:

Linux 6.8-rc3 (2024-02-04 12:20:36 +0000)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
tags/lsm-pr-20240312

for you to fetch changes up to edc6670233a333ccfd1ec0548f068bd121d209c8:

cred: Use KMEM_CACHE() instead of kmem_cache_create()
(2024-02-23 17:33:31 -0500)

----------------------------------------------------------------
lsm/stable-6.9 PR 20240312

----------------------------------------------------------------
Kunwu Chan (1):
cred: Use KMEM_CACHE() instead of kmem_cache_create()

Ondrej Mosnacek (1):
lsm: use default hook return value in call_int_hook()

Pairman Guo (1):
lsm: fix typos in security/security.c comment headers

Roberto Sassu (25):
ima: Align ima_inode_post_setattr() definition with LSM infrastructure
ima: Align ima_file_mprotect() definition with LSM infrastructure
ima: Align ima_inode_setxattr() definition with LSM infrastructure
ima: Align ima_inode_removexattr() definition with LSM infrastructure
ima: Align ima_post_read_file() definition with LSM infrastructure
evm: Align evm_inode_post_setattr() definition with LSM infrastructure
evm: Align evm_inode_setxattr() definition with LSM infrastructure
evm: Align evm_inode_post_setxattr() definition with LSM infrastructure
security: Align inode_setattr hook definition with EVM
security: Introduce inode_post_setattr hook
security: Introduce inode_post_removexattr hook
security: Introduce file_post_open hook
security: Introduce file_release hook
security: Introduce path_post_mknod hook
security: Introduce inode_post_create_tmpfile hook
security: Introduce inode_post_set_acl hook
security: Introduce inode_post_remove_acl hook
security: Introduce key_post_create_or_update hook
integrity: Move integrity_kernel_module_request() to IMA
ima: Move to LSM infrastructure
ima: Move IMA-Appraisal to LSM infrastructure
evm: Move to LSM infrastructure
evm: Make it independent from 'integrity' LSM
ima: Make it independent from 'integrity' LSM
integrity: Remove LSM

fs/attr.c | 5 +-
fs/file_table.c | 3 +-
fs/namei.c | 12 +-
fs/nfsd/vfs.c | 3 +-
fs/open.c | 1 -
fs/posix_acl.c | 5 +-
fs/xattr.c | 9 +-
include/linux/evm.h | 117 +---
include/linux/ima.h | 142 ----
include/linux/integrity.h | 27 -
include/linux/lsm_hook_defs.h | 20 +-
include/linux/security.h | 59 ++
include/uapi/linux/lsm.h | 2 +
kernel/cred.c | 4 +-
security/integrity/Makefile | 1 +
security/integrity/digsig_asymmetric.c | 23 -
security/integrity/evm/Kconfig | 1 +
security/integrity/evm/evm.h | 19 +
security/integrity/evm/evm_crypto.c | 4 +-
security/integrity/evm/evm_main.c | 195 +++++-
security/integrity/iint.c | 197 +-----
security/integrity/ima/Kconfig | 1 +
security/integrity/ima/Makefile | 2 +-
security/integrity/ima/ima.h | 148 +++-
security/integrity/ima/ima_api.c | 23 +-
security/integrity/ima/ima_appraise.c | 66 +-
security/integrity/ima/ima_iint.c | 142 ++++
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 148 +++-
security/integrity/ima/ima_policy.c | 2 +-
security/integrity/integrity.h | 80 +--
security/keys/key.c | 10 +-
security/security.c | 775 ++++++++++-----------
security/selinux/hooks.c | 3 +-
security/smack/smack_lsm.c | 4 +-
.../testing/selftests/lsm/lsm_list_modules_test.c | 6 +
36 files changed, 1123 insertions(+), 1138 deletions(-)
create mode 100644 security/integrity/ima/ima_iint.c

--
paul-moore.com

Next message: Nuno Das Neves: "[PATCH] hyperv-tlfs: Rename some HV_REGISTER_* defines for consistency"
Previous message: Paul Moore: "[GIT PULL] selinux/selinux-pr-20240312"
Next in thread: pr-tracker-bot: "Re: [GIT PULL] lsm/lsm-pr-20240312"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]