Changes in ima_policy

0fc8f6200d2313278fbf4539bbab74677c685531 - Merge drm/drm-fixes into drm-misc-fixes

Mon, 27 Apr 2026 10:26:49 +0200

Merge drm/drm-fixes into drm-misc-fixesGetting fixes and updates from v7.1-rc1.Signed-off-by: Thomas Zimmermann List of files: /linux/Documentation/ABI/testing/ima_policy

f4b369c6fe0ceaba2da2daff8c9eb415f85926dd - Merge branch 'next' into for-linus

Mon, 20 Apr 2026 03:28:57 +0200

Merge branch 'next' into for-linusPrepare input updates for 7.1 merge window. List of files: /linux/Documentation/ABI/testing/ima_policy

0421ccdfad0d92713a812a5aeb7d07b0ea7213c8 - Merge tag 'v7.0-rc3' into next

Thu, 12 Mar 2026 18:44:42 +0100

Merge tag 'v7.0-rc3' into nextSync up with the mainline to brig up the latest changes, specificallychanges to ALPS driver. List of files: /linux/Documentation/ABI/testing/ima_policy

9cdca336677b4d15579ec462e33c8a330ab3a9de - Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Sat, 18 Apr 2026 00:42:01 +0200

Merge tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrityPull integrity updates from Mimi Zohar: "There are two main changes, one feature removal, some code cleanup, and a number of bug fixes. Main changes: - Detecting secure boot mode was limited to IMA. Make detecting secure boot mode accessible to EVM and other LSMs - IMA sigv3 support was limited to fsverity. Add IMA sigv3 support for IMA regular file hashes and EVM portable signatures Remove: - Remove IMA support for asychronous hash calculation originally added for hardware acceleration Cleanup: - Remove unnecessary Kconfig CONFIG_MODULE_SIG and CONFIG_KEXEC_SIG tests - Add descriptions of the IMA atomic flags Bug fixes: - Like IMA, properly limit EVM "fix" mode - Define and call evm_fix_hmac() to update security.evm - Fallback to using i_version to detect file change for filesystems that do not support STATX_CHANGE_COOKIE - Address missing kernel support for configured (new) TPM hash algorithms - Add missing crypto_shash_final() return value"* tag 'integrity-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: evm: Enforce signatures version 3 with new EVM policy 'bit 3' integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG ima: add support to require IMA sigv3 signatures ima: add regular file data hash signature version 3 support ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures ima: remove buggy support for asynchronous hashes integrity: Eliminate weak definition of arch_get_secureboot() ima: Add code comments to explain IMA iint cache atomic_flags ima_fs: Correctly create securityfs files for unsupported hash algos ima: check return value of crypto_shash_final() in boot aggregate ima: Define and use a digest_size field in the ima_algo_desc structure powerpc/ima: Drop unnecessary check for CONFIG_MODULE_SIG ima: efi: Drop unnecessary check for CONFIG_MODULE_SIG/CONFIG_KEXEC_SIG ima: fallback to using i_version to detect file change evm: fix security.evm for a file with IMA signature s390: Drop unnecessary CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT evm: Don't enable fix mode when secure boot is enabled integrity: Make arch_ima_get_secureboot integrity-wide List of files: /linux/Documentation/ABI/testing/ima_policy

de4c44a7f559ceae19f7a70febf49e87bdfb125c - ima: add support to require IMA sigv3 signatures

Tue, 10 Mar 2026 14:16:25 +0100

ima: add support to require IMA sigv3 signaturesDefining a policy rule with the "appraise_type=imasig" option allowseither v2 or v3 signatures. Defining an IMA appraise rule with the"appraise_type=sigv3" option requires a file sigv3 signature.Define a new appraise type: IMA_SIGV3_REQUIREDExample: appraise func=BPRM_CHECK appraise_type=sigv3Tested-by: Stefan Berger Acked-by: Eric Biggers Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/ima_policy

cc4adab164b772a34b3340d644b7c4728498581e - Merge tag 'v6.19-rc1' into msm-next

Tue, 20 Jan 2026 23:06:55 +0100

Merge tag 'v6.19-rc1' into msm-nextMerge Linux 6.19-rc1 in order to catch up with other changes (e.g. UBWCconfig database defining UBWC_6).Signed-off-by: Dmitry Baryshkov List of files: /linux/Documentation/ABI/testing/ima_policy

5add3c3c280a35f7e258e9cef7607db5a2e56fdc - Merge drm/drm-next into drm-xe-next

Fri, 19 Dec 2025 11:51:22 +0100

Merge drm/drm-next into drm-xe-nextBackmerging to bring in 6.19-rc1. An important upstream bugfix andto help unblock PTL CI.Signed-off-by: Thomas Hellström List of files: /linux/Documentation/ABI/testing/ima_policy

b8304863a3990d0f18c38e5b94191830a63ee1af - Merge drm/drm-next into drm-intel-next

Mon, 15 Dec 2025 14:24:02 +0100

Merge drm/drm-next into drm-intel-nextSync-up some display code needed for Async flips refactor.Signed-off-by: Rodrigo Vivi List of files: /linux/Documentation/ABI/testing/ima_policy

7f790dd21a931c61167f7bdc327aecf2cebad327 - Merge drm/drm-next into drm-misc-next

Mon, 15 Dec 2025 09:27:39 +0100

Merge drm/drm-next into drm-misc-nextLet's kickstart the v6.20 (7.0?) release cycle.Signed-off-by: Maxime Ripard List of files: /linux/Documentation/ABI/testing/ima_policy

24f171c7e145f43b9f187578e89b0982ce87e54c - Merge tag 'asoc-fix-v6.19-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

Sun, 21 Dec 2025 11:11:11 +0100

Merge tag 'asoc-fix-v6.19-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linusASoC: Fixes for v6.19We've been quite busy with fixes since the merge window, though not inany particularly exciting ways - the standout thing is the fix for _SXcontrols which were broken by a change to how we do clamping, otherwiseit's all fairly run of the mill fixes and quirks. List of files: /linux/Documentation/ABI/testing/ima_policy

84318277d6334c6981ab326d4acc87c6a6ddc9b8 - Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixes

Mon, 15 Dec 2025 12:53:27 +0100

Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixesPull in rc1 to include all changes since the merge window closed,and grab all fixes and changes from drm/drm-next.Signed-off-by: Maarten Lankhorst List of files: /linux/Documentation/ABI/testing/ima_policy

777f8171602d5954cac024b66afa1b5b030641a4 - Merge tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Wed, 03 Dec 2025 20:08:03 +0100

Merge tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrityPull integrity updates from Mimi Zohar: "Bug fixes: - defer credentials checking from the bprm_check_security hook to the bprm_creds_from_file security hook - properly ignore IMA policy rules based on undefined SELinux labels IMA policy rule extensions: - extend IMA to limit including file hashes in the audit logs (dont_audit action) - define a new filesystem subtype policy option (fs_subtype) Misc: - extend IMA to support in-kernel module decompression by deferring the IMA signature verification in kernel_read_file() to after the kernel module is decompressed"* tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Handle error code returned by ima_filter_rule_match() ima: Access decompressed kernel module to verify appended signature ima: add fs_subtype condition for distinguishing FUSE instances ima: add dont_audit action to suppress audit actions ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook List of files: /linux/Documentation/ABI/testing/ima_policy

43369273518f57b7d56c1cf12d636a809b7bd81b - ima: add fs_subtype condition for distinguishing FUSE instances

Fri, 26 Sep 2025 01:45:07 +0200

ima: add fs_subtype condition for distinguishing FUSE instancesLinux systems often use FUSE for several different purposes, where thecontents of some FUSE instances can be of more interest for auditingthan others.Allow distinguishing between them based on the filesystem subtype(s_subtype) using the new condition "fs_subtype".The subtype string is supplied by userspace FUSE daemonswhen a FUSE connection is initialized, so policy authors who want tofilter based on subtype need to ensure that FUSE mount operations aresufficiently audited or restricted.Signed-off-by: Jann Horn Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/ima_policy

345123d650db724d53ffee84d7365008c6f729de - ima: add dont_audit action to suppress audit actions

Fri, 26 Sep 2025 01:45:06 +0200

ima: add dont_audit action to suppress audit actions"measure", "appraise" and "hash" actions all have corresponding "dont_*"actions, but "audit" currently lacks that. This means it is notcurrently possible to have a policy that audits everything by default,but excludes specific cases.This seems to have been an oversight back when the "audit" action wasadded.Add a corresponding "dont_audit" action to enable such uses.Signed-off-by: Jann Horn Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/ima_policy

a23e1966932464e1c5226cb9ac4ce1d5fc10ba22 - Merge branch 'next' into for-linus

Mon, 15 Jul 2024 23:03:44 +0200

Merge branch 'next' into for-linusPrepare input updates for 6.11 merge window. List of files: /linux/Documentation/ABI/testing/ima_policy

6f47c7ae8c7afaf9ad291d39f0d3974f191a7946 - Merge tag 'v6.9' into next

Tue, 28 May 2024 06:37:18 +0200

Merge tag 'v6.9' into nextSync up with the mainline to bring in the new cleanup API. List of files: /linux/Documentation/ABI/testing/ima_policy

a1c613ae4c322ddd58d5a8539dbfba2a0380a8c0 - Merge drm/drm-next into drm-intel-gt-next

Tue, 24 Oct 2023 10:50:22 +0200

Merge drm/drm-next into drm-intel-gt-nextWork that needs to land in drm-intel-gt-next depends on two patches onlypresent in drm-intel-next, absence of which is causing a merge conflict: 3b918f4f0c8b ("drm/i915/pxp: Optimize GET_PARAM:PXP_STATUS") ac765b7018f6 ("drm/i915/pxp/mtl: intel_pxp_init_hw needs runtime-pm inside pm-complete")Signed-off-by: Tvrtko Ursulin List of files: /linux/Documentation/ABI/testing/ima_policy

a940daa52167e9db8ecce82213813b735a9d9f23 - Merge branch 'linus' into smp/core

Tue, 17 Oct 2023 21:40:46 +0200

Merge branch 'linus' into smp/corePull in upstream to get the fixes so depending changes can be applied. List of files: /linux/Documentation/ABI/testing/ima_policy

57390019b68b83f96eb98f490367b9df1f2d77cb - Merge drm/drm-next into drm-misc-next

Wed, 11 Oct 2023 09:50:59 +0200

Merge drm/drm-next into drm-misc-nextUpdating drm-misc-next to the state of Linux v6.6-rc2.Signed-off-by: Thomas Zimmermann List of files: /linux/Documentation/ABI/testing/ima_policy

de80193308f43d3ae52cd3561e8ba77cd1437311 - Merge tag 'v6.6-rc4' into perf/core, to pick up fixes

Tue, 03 Oct 2023 09:32:25 +0200

Merge tag 'v6.6-rc4' into perf/core, to pick up fixesSigned-off-by: Ingo Molnar List of files: /linux/Documentation/ABI/testing/ima_policy