Changes in Makefile

c771600c6af14749609b49565ffb4cac2959710d - Merge drm/drm-next into drm-intel-gt-next

Wed, 05 Feb 2025 10:29:14 +0100

Merge drm/drm-next into drm-intel-gt-nextWe need4ba4f1afb6a9 ("perf: Generic hotplug support for a PMU with a scope")in order to land a i915 PMU simplification and a fix. That landed in 6.12and we are stuck at 6.9 so lets bump things forward.Signed-off-by: Tvrtko Ursulin List of files: /linux/security/ipe/Makefile

25768de50b1f2dbb6ea44bd5148a87fe2c9c3688 - Merge branch 'next' into for-linus

Tue, 21 Jan 2025 06:37:39 +0100

Merge branch 'next' into for-linusPrepare input updates for 6.14 merge window. List of files: /linux/security/ipe/Makefile

6d4a0f4ea72319c9a37c1a7191695467006dd272 - Merge tag 'v6.13-rc3' into next

Tue, 17 Dec 2024 18:40:45 +0100

Merge tag 'v6.13-rc3' into nextSync up with the mainline. List of files: /linux/security/ipe/Makefile

77b679453d3364688ff3e5153c0be5b2b52672b7 - Merge tag 'v6.12-rc3' into perf-tools-next

Mon, 14 Oct 2024 19:45:28 +0200

Merge tag 'v6.12-rc3' into perf-tools-nextTo get the fixes in the current perf-tools tree.Signed-off-by: Namhyung Kim List of files: /linux/security/ipe/Makefile

3fd6c59042dbba50391e30862beac979491145fe - Merge tag 'v6.12-rc1' into clk-meson-next

Mon, 30 Sep 2024 11:28:07 +0200

Merge tag 'v6.12-rc1' into clk-meson-nextLinux 6.12-rc1 List of files: /linux/security/ipe/Makefile

a0efa2f362a69e47b9d8b48f770ef3a0249a7911 - Merge net-next/main to resolve conflicts

Wed, 09 Oct 2024 08:59:14 +0200

Merge net-next/main to resolve conflictsThe wireless-next tree was based on something older, and thereare now conflicts between -rc2 and work here. Merge net-next,which has enough of -rc2 for the conflicts to happen, resolvingthem in the process.Signed-off-by: Johannes Berg List of files: /linux/security/ipe/Makefile

b88132ceb3faccdd785809df75f9d490ebaab459 - Merge drm/drm-next into drm-xe-next

Fri, 04 Oct 2024 11:29:21 +0200

Merge drm/drm-next into drm-xe-nextBackmerging to resolve a conflict with core locally.Signed-off-by: Thomas Hellström List of files: /linux/security/ipe/Makefile

2dd0ef5d951e9b565ddb324fe26c531b6a40bf82 - Merge drm/drm-next into drm-misc-next

Mon, 30 Sep 2024 10:50:54 +0200

Merge drm/drm-next into drm-misc-nextGet drm-misc-next to up v6.12-rc1.Signed-off-by: Thomas Zimmermann List of files: /linux/security/ipe/Makefile

e0568571258d096f0277c74185bcbfc9cf21bccb - Merge drm/drm-next into drm-intel-next

Mon, 30 Sep 2024 10:49:10 +0200

Merge drm/drm-next into drm-intel-nextSync to v6.12-rc1.Signed-off-by: Jani Nikula List of files: /linux/security/ipe/Makefile

c8d430db8eec7d4fd13a6bea27b7086a54eda6da - Merge tag 'kvmarm-fixes-6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

Sun, 06 Oct 2024 09:59:22 +0200

Merge tag 'kvmarm-fixes-6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEADKVM/arm64 fixes for 6.12, take #1- Fix pKVM error path on init, making sure we do not change critical system registers as we're about to fail- Make sure that the host's vector length is at capped by a value common to all CPUs- Fix kvm_has_feat*() handling of "negative" features, as the current code is pretty broken- Promote Joey to the status of official reviewer, while James steps down -- hopefully only temporarly List of files: /linux/security/ipe/Makefile

0c436dfe5c25d0931b164b944165259f95e5281f - Merge tag 'asoc-fix-v6.12-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

Wed, 02 Oct 2024 21:29:16 +0200

Merge tag 'asoc-fix-v6.12-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linusASoC: Fixes for v6.12A bunch of fixes here that came in during the merge window and the firstweek of release, plus some new quirks and device IDs. There's nothingmajor here, it's a bit bigger than it might've been due to there beingno fixes sent during the merge window due to your vacation. List of files: /linux/security/ipe/Makefile

2cd86f02c017bf9733e5cd891381b7d40f6f37ad - Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixes

Tue, 01 Oct 2024 18:09:41 +0200

Merge remote-tracking branch 'drm/drm-fixes' into drm-misc-fixesRequired for a panthor fix that broke whenFOP_UNSIGNED_OFFSET was added in place of FMODE_UNSIGNED_OFFSET.Signed-off-by: Maarten Lankhorst List of files: /linux/security/ipe/Makefile

3a39d672e7f48b8d6b91a09afa4b55352773b4b5 - Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Fri, 27 Sep 2024 08:13:52 +0200

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netCross-merge networking fixes after downstream PR.No conflicts and no adjacent changes.Signed-off-by: Paolo Abeni List of files: /linux/security/ipe/Makefile

a430d95c5efa2b545d26a094eb5f624e36732af0 - Merge tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Mon, 16 Sep 2024 18:19:47 +0200

Merge tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsmPull lsm updates from Paul Moore: - Move the LSM framework to static calls This transitions the vast majority of the LSM callbacks into static calls. Those callbacks which haven't been converted were left as-is due to the general ugliness of the changes required to support the static call conversion; we can revisit those callbacks at a future date. - Add the Integrity Policy Enforcement (IPE) LSM This adds a new LSM, Integrity Policy Enforcement (IPE). There is plenty of documentation about IPE in this patches, so I'll refrain from going into too much detail here, but the basic motivation behind IPE is to provide a mechanism such that administrators can restrict execution to only those binaries which come from integrity protected storage, e.g. a dm-verity protected filesystem. You will notice that IPE requires additional LSM hooks in the initramfs, dm-verity, and fs-verity code, with the associated patches carrying ACK/review tags from the associated maintainers. We couldn't find an obvious maintainer for the initramfs code, but the IPE patchset has been widely posted over several years. Both Deven Bowers and Fan Wu have contributed to IPE's development over the past several years, with Fan Wu agreeing to serve as the IPE maintainer moving forward. Once IPE is accepted into your tree, I'll start working with Fan to ensure he has the necessary accounts, keys, etc. so that he can start submitting IPE pull requests to you directly during the next merge window. - Move the lifecycle management of the LSM blobs to the LSM framework Management of the LSM blobs (the LSM state buffers attached to various kernel structs, typically via a void pointer named "security" or similar) has been mixed, some blobs were allocated/managed by individual LSMs, others were managed by the LSM framework itself. Starting with this pull we move management of all the LSM blobs, minus the XFRM blob, into the framework itself, improving consistency across LSMs, and reducing the amount of duplicated code across LSMs. Due to some additional work required to migrate the XFRM blob, it has been left as a todo item for a later date; from a practical standpoint this omission should have little impact as only SELinux provides a XFRM LSM implementation. - Fix problems with the LSM's handling of F_SETOWN The LSM hook for the fcntl(F_SETOWN) operation had a couple of problems: it was racy with itself, and it was disconnected from the associated DAC related logic in such a way that the LSM state could be updated in cases where the DAC state would not. We fix both of these problems by moving the security_file_set_fowner() hook into the same section of code where the DAC attributes are updated. Not only does this resolve the DAC/LSM synchronization issue, but as that code block is protected by a lock, it also resolve the race condition. - Fix potential problems with the security_inode_free() LSM hook Due to use of RCU to protect inodes and the placement of the LSM hook associated with freeing the inode, there is a bit of a challenge when it comes to managing any LSM state associated with an inode. The VFS folks are not open to relocating the LSM hook so we have to get creative when it comes to releasing an inode's LSM state. Traditionally we have used a single LSM callback within the hook that is triggered when the inode is "marked for death", but not actually released due to RCU. Unfortunately, this causes problems for LSMs which want to take an action when the inode's associated LSM state is actually released; so we add an additional LSM callback, inode_free_security_rcu(), that is called when the inode's LSM state is released in the RCU free callback. - Refactor two LSM hooks to better fit the LSM return value patterns The vast majority of the LSM hooks follow the "return 0 on success, negative values on failure" pattern, however, there are a small handful that have unique return value behaviors which has caused confusion in the past and makes it difficult for the BPF verifier to properly vet BPF LSM programs. This includes patches to convert two of these"special" LSM hooks to the common 0/-ERRNO pattern. - Various cleanups and improvements A handful of patches to remove redundant code, better leverage the IS_ERR_OR_NULL() helper, add missing "static" markings, and do some minor style fixups.* tag 'lsm-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: (40 commits) security: Update file_set_fowner documentation fs: Fix file_set_fowner LSM hook inconsistencies lsm: Use IS_ERR_OR_NULL() helper function lsm: remove LSM_COUNT and LSM_CONFIG_COUNT ipe: Remove duplicated include in ipe.c lsm: replace indirect LSM hook calls with static calls lsm: count the LSMs enabled at compile time kernel: Add helper macros for loop unrolling init/main.c: Initialize early LSMs after arch code, static keys and calls. MAINTAINERS: add IPE entry with Fan Wu as maintainer documentation: add IPE documentation ipe: kunit test for parser scripts: add boot policy generation program ipe: enable support for fs-verity as a trust provider fsverity: expose verified fsverity built-in signatures to LSMs lsm: add security_inode_setintegrity() hook ipe: add support for dm-verity as a trust provider dm-verity: expose root hash digest and signature data to LSMs block,lsm: add LSM blob and new LSM hooks for block devices ipe: add permissive toggle ... List of files: /linux/security/ipe/Makefile

10ca05a7606519c7ec6a4b48be00ef90822c36a8 - ipe: kunit test for parser

Sat, 03 Aug 2024 08:08:32 +0200

ipe: kunit test for parserAdd various happy/unhappy unit tests for both IPE's policy parser.Besides, a test suite for IPE functionality is available athttps://github.com/microsoft/ipe/tree/test-suiteSigned-off-by: Deven Bowers Signed-off-by: Fan Wu Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile

ba199dc909a20fe62270ae4e93f263987bb9d119 - scripts: add boot policy generation program

Sat, 03 Aug 2024 08:08:31 +0200

scripts: add boot policy generation programEnables an IPE policy to be enforced from kernel start, enabling accesscontrol based on trust from kernel startup. This is accomplished bytransforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into ac-string literal that is parsed at kernel startup as an unsigned policy.Signed-off-by: Deven Bowers Signed-off-by: Fan Wu Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile

e155858dd99523d4afe0f74e9c26e4f4499eb5af - ipe: add support for dm-verity as a trust provider

Sat, 03 Aug 2024 08:08:27 +0200

ipe: add support for dm-verity as a trust providerAllows author of IPE policy to indicate trust for a singular dm-verityvolume, identified by roothash, through "dmverity_roothash" and allsigned and validated dm-verity volumes, through "dmverity_signature".Signed-off-by: Deven Bowers Signed-off-by: Fan Wu [PM: fixed some line length issues in the comments]Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile

f44554b5067b36c14cc91ed811fa1bd58baed34a - audit,ipe: add IPE auditing support

Sat, 03 Aug 2024 08:08:23 +0200

audit,ipe: add IPE auditing supportUsers of IPE require a way to identify when and why an operation fails,allowing them to both respond to violations of policy and be notifiedof potentially malicious actions on their systems with respect to IPEitself.This patch introduces 3 new audit events.AUDIT_IPE_ACCESS(1420) indicates the result of an IPE policy evaluationof a resource.AUDIT_IPE_CONFIG_CHANGE(1421) indicates the current active IPE policyhas been changed to another loaded policy.AUDIT_IPE_POLICY_LOAD(1422) indicates a new IPE policy has been loadedinto the kernel.This patch also adds support for success auditing, allowing users toidentify why an allow decision was made for a resource. However, it isrecommended to use this option with caution, as it is quite noisy.Here are some examples of the new audit record types:AUDIT_IPE_ACCESS(1420): audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=297 comm="sh" path="/root/vol/bin/hello" dev="tmpfs" ino=3897 rule="op=EXECUTE boot_verified=TRUE action=ALLOW" audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=299 comm="sh" path="/mnt/ipe/bin/hello" dev="dm-0" ino=2 rule="DEFAULT action=DENY" audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=300 path="/tmp/tmpdp2h1lub/deny/bin/hello" dev="tmpfs" ino=131 rule="DEFAULT action=DENY"The above three records were generated when the active IPE policy onlyallows binaries from the initramfs to run. The three identical `hello`binary were placed at different locations, only the first hello fromthe rootfs(initramfs) was allowed.Field ipe_op followed by the IPE operation name associated with the log.Field ipe_hook followed by the name of the LSM hook that triggered the IPEevent.Field enforcing followed by the enforcement state of IPE. (it will beintroduced in the next commit)Field pid followed by the pid of the process that triggered the IPEevent.Field comm followed by the command line program name of the process thattriggered the IPE event.Field path followed by the file's path name.Field dev followed by the device name as found in /dev where the file isfrom.Note that for device mappers it will use the name `dm-X` instead ofthe name in /dev/mapper.For a file in a temp file system, which is not from a device, it will use`tmpfs` for the field.The implementation of this part is following another existing use caseLSM_AUDIT_DATA_INODE in security/lsm_audit.cField ino followed by the file's inode number.Field rule followed by the IPE rule made the access decision. The wholerule must be audited because the decision is based on the combination ofall property conditions in the rule.Along with the syscall audit event, user can know why a blockedhappened. For example: audit: AUDIT1420 ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=2138 comm="bash" path="/mnt/ipe/bin/hello" dev="dm-0" ino=2 rule="DEFAULT action=DENY" audit[1956]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=556790138df0 a1=556790135390 a2=5567901338b0 a3=ab2a41a67f4f1f4e items=1 ppid=147 pid=1956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="bash" exe="/usr/bin/bash" key=(null)The above two records showed bash used execve to run "hello" and gotblocked by IPE. Note that the IPE records are always prior to a SYSCALLrecord.AUDIT_IPE_CONFIG_CHANGE(1421): audit: AUDIT1421 old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F auid=4294967295 ses=4294967295 lsm=ipe res=1The above record showed the current IPE active policy switch from`Allow_All` to `boot_verified` along with the version and the hashdigest of the two policies. Note IPE can only have one policy activeat a time, all access decision evaluation is based on the current activepolicy.The normal procedure to deploy a policy is loading the policy to deployinto the kernel first, then switch the active policy to it.AUDIT_IPE_POLICY_LOAD(1422): audit: AUDIT1422 policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F2676 auid=4294967295 ses=4294967295 lsm=ipe res=1The above record showed a new policy has been loaded into the kernelwith the policy name, policy version and policy hash.Signed-off-by: Deven Bowers Signed-off-by: Fan Wu [PM: subject line tweak]Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile

2261306f4a3cea362fc40285e750a801dc0cfbe3 - ipe: add userspace interface

Sat, 03 Aug 2024 08:08:22 +0200

ipe: add userspace interfaceAs is typical with LSMs, IPE uses securityfs as its interface withuserspace. for a complete list of the interfaces and the respectiveinputs/outputs, please see the documentation underadmin-guide/LSM/ipe.rstSigned-off-by: Deven Bowers Signed-off-by: Fan Wu Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile

52443cb60c356707df494910fa134bbb0a8b1a66 - ipe: add LSM hooks on execution and kernel read

Sat, 03 Aug 2024 08:08:18 +0200

ipe: add LSM hooks on execution and kernel readIPE's initial goal is to control both execution and the loading ofkernel modules based on the system's definition of trust. Itaccomplishes this by plugging into the security hooks forbprm_check_security, file_mprotect, mmap_file, kernel_load_data,and kernel_read_data.Signed-off-by: Deven Bowers Signed-off-by: Fan Wu Signed-off-by: Paul Moore List of files: /linux/security/ipe/Makefile