mirror of
https://github.com/Fishwaldo/linux-bl808.git
synced 2025-06-17 20:25:19 +00:00
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
of modules and firmware to be loaded from a specific device (this
is from ChromeOS, where the device as a whole is verified
cryptographically via dm-verity).
This is disabled by default but can be configured to be enabled by
default (don't do this if you don't know what you're doing).
- Keys: allow authentication data to be stored in an asymmetric key.
Lots of general fixes and updates.
- SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability
checks. Apply execstack check on thread stacks"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
LSM: LoadPin: provide enablement CONFIG
Yama: use atomic allocations when reporting
seccomp: Fix comment typo
ima: add support for creating files using the mknodat syscall
ima: fix ima_inode_post_setattr
vfs: forbid write access when reading a file into memory
fs: fix over-zealous use of "const"
selinux: apply execstack check on thread stacks
selinux: distinguish non-init user namespace capability checks
LSM: LoadPin for kernel file loading restrictions
fs: define a string representation of the kernel_read_file_id enumeration
Yama: consolidate error reporting
string_helpers: add kstrdup_quotable_file
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable
selinux: check ss_initialized before revalidating an inode label
selinux: delay inode label lookup as long as possible
selinux: don't revalidate an inode's label when explicitly setting it
selinux: Change bool variable name to index.
KEYS: Add KEYCTL_DH_COMPUTE command
...
This commit is contained in:
Linus Torvalds
commit
f4f27d0028
82 changed files with 1915 additions and 807 deletions
|
|
@ -60,6 +60,7 @@ int __init security_init(void)
|
|||
*/
|
||||
capability_add_hooks();
|
||||
yama_add_hooks();
|
||||
loadpin_add_hooks();
|
||||
|
||||
/*
|
||||
* Load all the remaining security modules.
|
||||
|
|
@ -1848,7 +1849,6 @@ struct security_hook_heads security_hook_heads = {
|
|||
.tun_dev_attach =
|
||||
LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
|
||||
.tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
|
||||
.skb_owned_by = LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
|
||||
#endif /* CONFIG_SECURITY_NETWORK */
|
||||
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
||||
.xfrm_policy_alloc_security =
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue