Commit 57ce66d3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull integrity updates from James Morris:
 "From Mimi: This contains a couple of bug fixes, including one for a
  recent problem with calculating file hashes on overlayfs, and some
  code cleanup"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  MAINTAINERS: add Jarkko as maintainer for trusted keys
  ima: open a new file instance if no read permissions
  ima: fix showing large 'violations' or 'runtime_measurements_count'
  security/integrity: remove unnecessary 'init_keyring' variable
  security/integrity: constify some read-only data
  vfs: require i_size <= SIZE_MAX in kernel_read_file()
parents 4ba9628f 34bccd61

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -8165,6 +8165,7 @@ F: security/keys/encrypted-keys/ 


KEYS-TRUSTED

M:	James Bottomley <jejb@linux.vnet.ibm.com>

M:      Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

M:	Mimi Zohar <zohar@linux.vnet.ibm.com>

L:	linux-integrity@vger.kernel.org

L:	keyrings@vger.kernel.org

fs/exec.c

+4 −4
Original line number Diff line number Diff line
@@ -908,14 +908,14 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, 
		goto out;



	i_size = i_size_read(file_inode(file));

	if (max_size > 0 && i_size > max_size) {

		ret = -EFBIG;

		goto out;

	}

	if (i_size <= 0) {

		ret = -EINVAL;

		goto out;

	}

	if (i_size > SIZE_MAX || (max_size > 0 && i_size > max_size)) {

		ret = -EFBIG;

		goto out;

	}



	if (id != READING_FIRMWARE_PREALLOC_BUFFER)

		*buf = vmalloc(i_size);

security/integrity/digsig.c

+2 −8
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ 


static struct key *keyring[INTEGRITY_KEYRING_MAX];



static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {

static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {

#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING

	"_evm",

	"_ima",
@@ -37,12 +37,6 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 
	"_module",

};



#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING

static bool init_keyring __initdata = true;

#else

static bool init_keyring __initdata;

#endif



#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted

#else
@@ -85,7 +79,7 @@ int __init integrity_init_keyring(const unsigned int id) 
	struct key_restriction *restriction;

	int err = 0;



	if (!init_keyring)

	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))

		return 0;



	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);

security/integrity/evm/evm_crypto.c

+2 −2
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ 
#define EVMKEY "evm-key"

#define MAX_KEY_SIZE 128

static unsigned char evmkey[MAX_KEY_SIZE];

static int evmkey_len = MAX_KEY_SIZE;

static const int evmkey_len = MAX_KEY_SIZE;



struct crypto_shash *hmac_tfm;

static struct crypto_shash *evm_tfm[HASH_ALGO__LAST];
@@ -38,7 +38,7 @@ static DEFINE_MUTEX(mutex); 


static unsigned long evm_set_key_flags;



static char * const evm_hmac = "hmac(sha1)";

static const char evm_hmac[] = "hmac(sha1)";



/**

 * evm_set_key() - set EVM HMAC key from the kernel

security/integrity/ima/ima.h

+1 −1
Original line number Diff line number Diff line
@@ -88,7 +88,7 @@ struct ima_template_desc { 
	char *name;

	char *fmt;

	int num_fields;

	struct ima_template_field **fields;

	const struct ima_template_field **fields;

};



struct ima_template_entry {

CRA Git | Maintained and supported by SUSTech CRA and CCSE