Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...

Pull security subsystem updates from James Morris:

 - kstrdup() return value fix from Eric Biggers

 - Add new security_load_data hook to differentiate security checking of
   kernel-loaded binaries in the case of there being no associated file
   descriptor, from Mimi Zohar.

 - Add ability to IMA to specify a policy at build-time, rather than
   just via command line params or by loading a custom policy, from
   Mimi.

 - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
   using signed firmware), from Mimi.

 - Allow IMA to deny loading of kexec kernel images, as they cannot be
   measured by IMA, from Mimi.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: check for kstrdup() failure in lsm_append()
  security: export security_kernel_load_data function
  ima: based on policy warn about loading firmware (pre-allocated buffer)
  module: replace the existing LSM hook in init_module
  ima: add build time policy
  ima: based on policy require signed firmware (sysfs fallback)
  firmware: add call to LSM hook before firmware sysfs fallback
  ima: based on policy require signed kexec kernel images
  kexec: add call to LSM hook in original kexec_load syscall
  security: define new LSM hook named security_kernel_load_data
  MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry

diff --cc MAINTAINERS
index f7a8faf,3119bba..a95a7e6
--- 1/MAINTAINERS
--- 2/MAINTAINERS
+++ b/MAINTAINERS
@@@ -8336,17 -8315,8 +8336,12 @@@ L:    linux-arch@vger.kernel.or
  S:    Supported
  T:    git git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git
  F:    tools/memory-model/
 +F:    Documentation/atomic_bitops.txt
 +F:    Documentation/atomic_t.txt
 +F:    Documentation/core-api/atomic_ops.rst
 +F:    Documentation/core-api/refcount-vs-atomic.rst
  F:    Documentation/memory-barriers.txt
  
- LINUX SECURITY MODULE (LSM) FRAMEWORK
- M:    Chris Wright <chrisw@sous-sol.org>
- L:    linux-security-module@vger.kernel.org
- S:    Supported
- 
  LIS3LV02D ACCELEROMETER DRIVER
  M:    Eric Piel <eric.piel@tremplin-utc.net>
  S:    Maintained

diff --cc include/linux/ima.h
index d9ba3fc,84806b5..97914a2
--- 1/include/linux/ima.h
--- 2/include/linux/ima.h
+++ b/include/linux/ima.h
@@@ -16,9 -17,10 +17,10 @@@ struct linux_binprm
  
  #ifdef CONFIG_IMA
  extern int ima_bprm_check(struct linux_binprm *bprm);
 -extern int ima_file_check(struct file *file, int mask, int opened);
 +extern int ima_file_check(struct file *file, int mask);
  extern void ima_file_free(struct file *file);
  extern int ima_file_mmap(struct file *file, unsigned long prot);
+ extern int ima_load_data(enum kernel_load_data_id id);
  extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
  extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
                              enum kernel_read_file_id id);

diff --cc include/linux/lsm_hooks.h
Simple merge

diff --cc include/linux/security.h
Simple merge

diff --cc security/integrity/ima/ima.h
Simple merge

diff --cc security/integrity/ima/ima_main.c
index b286f37,dce0a8a..2d31921
--- 1/security/integrity/ima/ima_main.c
--- 2/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -493,9 -490,52 +490,52 @@@ int ima_post_read_file(struct file *fil
        func = read_idmap[read_id] ?: FILE_CHECK;
        security_task_getsecid(current, &secid);
        return process_measurement(file, current_cred(), secid, buf, size,
 -                                 MAY_READ, func, 0);
 +                                 MAY_READ, func);
  }
  
+ /**
+  * ima_load_data - appraise decision based on policy
+  * @id: kernel load data caller identifier
+  *
+  * Callers of this LSM hook can not measure, appraise, or audit the
+  * data provided by userspace.  Enforce policy rules requring a file
+  * signature (eg. kexec'ed kernel image).
+  *
+  * For permission return 0, otherwise return -EACCES.
+  */
+ int ima_load_data(enum kernel_load_data_id id)
+ {
+       bool sig_enforce;
+ 
+       if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
+               return 0;
+ 
+       switch (id) {
+       case LOADING_KEXEC_IMAGE:
+               if (ima_appraise & IMA_APPRAISE_KEXEC) {
+                       pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
+                       return -EACCES; /* INTEGRITY_UNKNOWN */
+               }
+               break;
+       case LOADING_FIRMWARE:
+               if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+                       pr_err("Prevent firmware sysfs fallback loading.\n");
+                       return -EACCES; /* INTEGRITY_UNKNOWN */
+               }
+               break;
+       case LOADING_MODULE:
+               sig_enforce = is_module_sig_enforced();
+ 
+               if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
+                       pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
+                       return -EACCES; /* INTEGRITY_UNKNOWN */
+               }
+       default:
+               break;
+       }
+       return 0;
+ }
+ 
  static int __init init_ima(void)
  {
        int error;

diff --cc security/security.c
Simple merge

diff --cc security/selinux/hooks.c
Simple merge