projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 21e80f3 b836c4d)
Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...
authorLinus Torvalds <torvalds@linux-foundation.org>
Thu, 2 Nov 2023 16:53:22 +0000 (06:53 -1000)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 2 Nov 2023 16:53:22 +0000 (06:53 -1000)
Pull integrity updates from Mimi Zohar:
 "Four integrity changes: two IMA-overlay updates, an integrity Kconfig
  cleanup, and a secondary keyring update"

* tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: detect changes to the backing overlay file
  certs: Only allow certs signed by keys on the builtin keyring
  integrity: fix indentation of config attributes
  ima: annotate iint mutex to avoid lockdep false positive warnings

1  2 
fs/overlayfs/super.c patch | diff1 | diff2 | blob | history
security/integrity/Kconfig patch | diff1 | diff2 | blob | history

diff --cc fs/overlayfs/super.c
index 6cd949c,c71d185..17864a8
--- 1/fs/overlayfs/super.c
--- 2/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@@ -1496,16 -1488,8 +1496,16 @@@ int ovl_fill_super(struct super_block *
        sb->s_xattr = ofs->config.userxattr ? ovl_user_xattr_handlers :
                ovl_trusted_xattr_handlers;
        sb->s_fs_info = ofs;
 +#ifdef CONFIG_FS_POSIX_ACL
        sb->s_flags |= SB_POSIXACL;
-       sb->s_iflags |= SB_I_SKIP_SYNC | SB_I_IMA_UNVERIFIABLE_SIGNATURE;
 +#endif
+       sb->s_iflags |= SB_I_SKIP_SYNC;
 +      /*
 +       * Ensure that umask handling is done by the filesystems used
 +       * for the the upper layer instead of overlayfs as that would
 +       * lead to unexpected results.
 +       */
 +      sb->s_iflags |= SB_I_NOUMASK;
  
        err = -ENOMEM;
        root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);
diff --cc security/integrity/Kconfig
index b6e074a,1e151e6..3c45f4f
--- 1/security/integrity/Kconfig
--- 2/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@@ -68,11 -68,13 +68,11 @@@ config INTEGRITY_MACHINE_KEYRIN
        depends on INTEGRITY_ASYMMETRIC_KEYS
        depends on SYSTEM_BLACKLIST_KEYRING
        depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
 -      select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
 -      select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
        help
-        If set, provide a keyring to which Machine Owner Keys (MOK) may
-        be added. This keyring shall contain just MOK keys.  Unlike keys
-        in the platform keyring, keys contained in the .machine keyring will
-        be trusted within the kernel.
+         If set, provide a keyring to which Machine Owner Keys (MOK) may
+         be added. This keyring shall contain just MOK keys.  Unlike keys
+         in the platform keyring, keys contained in the .machine keyring will
+         be trusted within the kernel.
  
  config INTEGRITY_CA_MACHINE_KEYRING
        bool "Enforce Machine Keyring CA Restrictions"
MicroBlaze GIT Repository