#
8626afb1 |
| 22-Nov-2021 |
Tvrtko Ursulin <tvrtko.ursulin@intel.com> |
Merge drm/drm-next into drm-intel-gt-next
Thomas needs the dma_resv_for_each_fence API for i915/ttm async migration work.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
|
Revision tags: v5.16-rc2 |
|
#
a713ca23 |
| 18-Nov-2021 |
Thomas Zimmermann <tzimmermann@suse.de> |
Merge drm/drm-next into drm-misc-next
Backmerging from drm/drm-next for v5.16-rc1.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
|
#
467dd91e |
| 16-Nov-2021 |
Maxime Ripard <maxime@cerno.tech> |
Merge drm/drm-fixes into drm-misc-fixes
We need -rc1 to address a breakage in drm/scheduler affecting panfrost.
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
|
Revision tags: v5.16-rc1 |
|
#
7f9f8792 |
| 06-Nov-2021 |
Arnaldo Carvalho de Melo <acme@redhat.com> |
Merge remote-tracking branch 'torvalds/master' into perf/core
To pick up some tools/perf/ patches that went via tip/perf/core, such as:
tools/perf: Add mem_hops field in perf_mem_data_src structu
Merge remote-tracking branch 'torvalds/master' into perf/core
To pick up some tools/perf/ patches that went via tip/perf/core, such as:
tools/perf: Add mem_hops field in perf_mem_data_src structure
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
show more ...
|
#
c150d66b |
| 02-Nov-2021 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'integrity-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar: "Other than the new gid IMA policy rule support
Merge tag 'integrity-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar: "Other than the new gid IMA policy rule support and the RCU locking fix, the couple of remaining changes are minor/trivial (e.g. __ro_after_init, replacing strscpy)"
* tag 'integrity-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: evm: mark evm_fixmode as __ro_after_init ima: Use strscpy instead of strlcpy ima_policy: Remove duplicate 'the' in docs comment ima: add gid support ima: fix uid code style problems ima: fix deadlock when traversing "ima_default_rules".
show more ...
|
#
40e64a88 |
| 02-Nov-2021 |
Petr Mladek <pmladek@suse.com> |
Merge branch 'for-5.16-vsprintf-pgp' into for-linus
|
Revision tags: v5.15, v5.15-rc7, v5.15-rc6, v5.15-rc5 |
|
#
cc4299ea |
| 08-Oct-2021 |
Petr Vorel <pvorel@suse.cz> |
ima: Use strscpy instead of strlcpy
strlcpy is deprecated, use its safer replacement.
Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
|
#
61868acb |
| 08-Oct-2021 |
Petr Vorel <pvorel@suse.cz> |
ima_policy: Remove duplicate 'the' in docs comment
Also join string (short enough to be on single line).
Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
|
#
40224c41 |
| 07-Oct-2021 |
Curtis Veit <veit@vpieng.com> |
ima: add gid support
IMA currently supports the concept of rules based on uid where the rule is based on the uid of the file owner or the uid of the user accessing the file. Provide the ability to h
ima: add gid support
IMA currently supports the concept of rules based on uid where the rule is based on the uid of the file owner or the uid of the user accessing the file. Provide the ability to have similar rules based on gid.
Signed-off-by: Curtis Veit <veit@vpieng.com> Co-developed-by: Alex Henrie <alexh@vpitech.com> Signed-off-by: Alex Henrie <alexh@vpitech.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
30d8764a |
| 07-Oct-2021 |
Alex Henrie <alexh@vpitech.com> |
ima: fix uid code style problems
scripts/checkpatch.pl wants function arguments to have names; and Mimi prefers to keep the line length in functions to 80 characters or less.
Signed-off-by: Alex He
ima: fix uid code style problems
scripts/checkpatch.pl wants function arguments to have names; and Mimi prefers to keep the line length in functions to 80 characters or less.
Signed-off-by: Alex Henrie <alexh@vpitech.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
eb0782bb |
| 09-Oct-2021 |
liqiong <liqiong@nfschina.com> |
ima: fix deadlock when traversing "ima_default_rules".
The current IMA ruleset is identified by the variable "ima_rules" that default to "&ima_default_rules". When loading a custom policy for the fi
ima: fix deadlock when traversing "ima_default_rules".
The current IMA ruleset is identified by the variable "ima_rules" that default to "&ima_default_rules". When loading a custom policy for the first time, the variable is updated to "&ima_policy_rules" instead. That update isn't RCU-safe, and deadlocks are possible. Indeed, some functions like ima_match_policy() may loop indefinitely when traversing "ima_default_rules" with list_for_each_entry_rcu().
When iterating over the default ruleset back to head, if the list head is "ima_default_rules", and "ima_rules" have been updated to "&ima_policy_rules", the loop condition (&entry->list != ima_rules) stays always true, traversing won't terminate, causing a soft lockup and RCU stalls.
Introduce a temporary value for "ima_rules" when iterating over the ruleset to avoid the deadlocks.
Signed-off-by: liqiong <liqiong@nfschina.com> Reviewed-by: THOBY Simon <Simon.THOBY@viveris.fr> Fixes: 38d859f991f3 ("IMA: policy can now be updated multiple times") Reported-by: kernel test robot <lkp@intel.com> (Fix sparse: incompatible types in comparison expression.) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
e700ac21 |
| 06-Oct-2021 |
Tony Lindgren <tony@atomide.com> |
Merge branch 'pruss-fix' into fixes
Merge in a fix for pruss reset issue caused by enabling pruss for am335x.
|
Revision tags: v5.15-rc4, v5.15-rc3 |
|
#
ffb1e76f |
| 20-Sep-2021 |
Mark Brown <broonie@kernel.org> |
Merge tag 'v5.15-rc2' into spi-5.15
Linux 5.15-rc2
|
Revision tags: v5.15-rc2 |
|
#
d1b803f4 |
| 15-Sep-2021 |
Rodrigo Vivi <rodrigo.vivi@intel.com> |
Merge drm/drm-next into drm-intel-next
Catch-up on 5.15-rc1 and sync with drm-intel-gt-next to prepare the PXP topic branch.
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
|
#
d5dd580d |
| 15-Sep-2021 |
Joonas Lahtinen <joonas.lahtinen@linux.intel.com> |
Merge drm/drm-next into drm-intel-gt-next
Close the divergence which has caused patches not to apply and have a solid baseline for the PXP patches that Rodrigo will send a topic branch PR for.
Sign
Merge drm/drm-next into drm-intel-gt-next
Close the divergence which has caused patches not to apply and have a solid baseline for the PXP patches that Rodrigo will send a topic branch PR for.
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
show more ...
|
#
2f765205 |
| 14-Sep-2021 |
Maxime Ripard <maxime@cerno.tech> |
Merge drm/drm-next into drm-misc-next
Kickstart new drm-misc-next cycle.
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
|
Revision tags: v5.15-rc1 |
|
#
c2f4954c |
| 11-Sep-2021 |
Thomas Gleixner <tglx@linutronix.de> |
Merge branch 'linus' into smp/urgent
Ensure that all usage sites of get/put_online_cpus() except for the struggler in drivers/thermal are gone. So the last user and the deprecated inlines can be rem
Merge branch 'linus' into smp/urgent
Ensure that all usage sites of get/put_online_cpus() except for the struggler in drivers/thermal are gone. So the last user and the deprecated inlines can be removed.
show more ...
|
#
8be98d2f |
| 06-Sep-2021 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge branch 'next' into for-linus
Prepare input updates for 5.15 merge window.
|
#
aef4892a |
| 02-Sep-2021 |
Linus Torvalds <torvalds@linux-foundation.org> |
Merge tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar:
- Limit the allowed hash algorithms when writin
Merge tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar:
- Limit the allowed hash algorithms when writing security.ima xattrs or verifying them, based on the IMA policy and the configured hash algorithms.
- Return the calculated "critical data" measurement hash and size to avoid code duplication. (Preparatory change for a proposed LSM.)
- and a single patch to address a compiler warning.
* tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: IMA: reject unknown hash algorithms in ima_get_hash_algo IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms IMA: introduce a new policy option func=SETXATTR_CHECK IMA: add a policy option to restrict xattr hash algorithms on appraisal IMA: add support to restrict the hash algorithms used for file appraisal IMA: block writes of the security.ima xattr with unsupported algorithms IMA: remove the dependency on CRYPTO_MD5 ima: Add digest and digest_len params to the functions to measure a buffer ima: Return int in the functions to measure a buffer ima: Introduce ima_get_current_hash_algo() IMA: remove -Wmissing-prototypes warning
show more ...
|
Revision tags: v5.14, v5.14-rc7 |
|
#
d07eeeb8 |
| 18-Aug-2021 |
Mimi Zohar <zohar@linux.ibm.com> |
Merge branch 'restrict-digest-alg-v8' into next-integrity
Taken from the cover letter "IMA: restrict the accepted digest algorithms for the security.ima xattr":
Provide users the ability to restric
Merge branch 'restrict-digest-alg-v8' into next-integrity
Taken from the cover letter "IMA: restrict the accepted digest algorithms for the security.ima xattr":
Provide users the ability to restrict the algorithms accepted by their system, both when writing/updating xattrs, and when appraising files, while retaining a permissive behavior by default to preserve backward compatibility.
To provide these features, alter the behavior of setxattr to only accept hashes built in the kernel, instead of any hash listed in the kernel (complete list crypto/hash_info.c). In addition, the user can define in his IMA policy the list of digest algorithms allowed for writing to the security.ima xattr. In that case, only algorithms present in that list are accepted for writing.
In addition, users may opt-in to allowlist hash algorithms for appraising thanks to the new 'appraise_algos' IMA policy option. By default IMA will keep accepting any hash algorithm, but specifying that option will make appraisal of files hashed with another algorithm fail.
Link: https://lore.kernel.org/linux-integrity/20210816081056.24530-1-Simon.THOBY@viveris.fr/
show more ...
|
#
8ecd39cb |
| 16-Aug-2021 |
THOBY Simon <Simon.THOBY@viveris.fr> |
IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms
SETXATTR_CHECK policy rules assume that any algorithm listed in the 'appraise_algos' flag must be accepted when performing setxat
IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms
SETXATTR_CHECK policy rules assume that any algorithm listed in the 'appraise_algos' flag must be accepted when performing setxattr() on the security.ima xattr. However nothing checks that they are available in the current kernel. A userland application could hash a file with a digest that the kernel wouldn't be able to verify. However, if SETXATTR_CHECK is not in use, the kernel already forbids that xattr write.
Verify that algorithms listed in appraise_algos are available to the current kernel and reject the policy update otherwise. This will fix the inconsistency between SETXATTR_CHECK and non-SETXATTR_CHECK behaviors.
That filtering is only performed in ima_parse_appraise_algos() when updating policies so that we do not have to pay the price of allocating a hash object every time validate_hash_algo() is called in ima_inode_setxattr().
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
4f2946aa |
| 16-Aug-2021 |
THOBY Simon <Simon.THOBY@viveris.fr> |
IMA: introduce a new policy option func=SETXATTR_CHECK
While users can restrict the accepted hash algorithms for the security.ima xattr file signature when appraising said file, users cannot restric
IMA: introduce a new policy option func=SETXATTR_CHECK
While users can restrict the accepted hash algorithms for the security.ima xattr file signature when appraising said file, users cannot restrict the algorithms that can be set on that attribute: any algorithm built in the kernel is accepted on a write.
Define a new value for the ima policy option 'func' that restricts globally the hash algorithms accepted when writing the security.ima xattr.
When a policy contains a rule of the form appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512 only values corresponding to one of these three digest algorithms will be accepted for writing the security.ima xattr. Attempting to write the attribute using another algorithm (or "free-form" data) will be denied with an audit log message. In the absence of such a policy rule, the default is still to only accept hash algorithms built in the kernel (with all the limitations that entails).
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
583a80ae |
| 16-Aug-2021 |
THOBY Simon <Simon.THOBY@viveris.fr> |
IMA: add a policy option to restrict xattr hash algorithms on appraisal
The kernel has the ability to restrict the set of hash algorithms it accepts for the security.ima xattr when it appraises file
IMA: add a policy option to restrict xattr hash algorithms on appraisal
The kernel has the ability to restrict the set of hash algorithms it accepts for the security.ima xattr when it appraises files.
Define a new IMA policy rule option "appraise_algos=", using the mentioned mechanism to expose a user-toggable policy knob to opt-in to that restriction and select the desired set of algorithms that must be accepted.
When a policy rule uses the 'appraise_algos' option, appraisal of a file referenced by that rule will now fail if the digest algorithm employed to hash the file was not one of those explicitly listed in the option. In its absence, any hash algorithm compiled in the kernel will be accepted.
For example, on a system where SELinux is properly deployed, the rule appraise func=BPRM_CHECK obj_type=iptables_exec_t \ appraise_algos=sha256,sha384 will block the execution of iptables if the xattr security.ima of its executables were not hashed with either sha256 or sha384.
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
1624dc00 |
| 16-Aug-2021 |
THOBY Simon <Simon.THOBY@viveris.fr> |
IMA: add support to restrict the hash algorithms used for file appraisal
The kernel accepts any hash algorithm as a value for the security.ima xattr. Users may wish to restrict the accepted algorith
IMA: add support to restrict the hash algorithms used for file appraisal
The kernel accepts any hash algorithm as a value for the security.ima xattr. Users may wish to restrict the accepted algorithms to only support strong cryptographic ones.
Provide the plumbing to restrict the permitted set of hash algorithms used for verifying file hashes and signatures stored in security.ima xattr.
Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr> Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
Revision tags: v5.14-rc6, v5.14-rc5, v5.14-rc4, v5.14-rc3 |
|
#
320424c7 |
| 19-Jul-2021 |
Dmitry Torokhov <dmitry.torokhov@gmail.com> |
Merge tag 'v5.13' into next
Sync up with the mainline to get the latest parport API.
|