diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-05-19 12:21:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-05-19 12:21:36 -0400 |
| commit | f4f27d0028aabce57e44c16c2fdefccd6310d2f3 (patch) | |
| tree | 09f25601316d22b64165c19042da51c101bde3c4 /security/security.c | |
| parent | 2600a46ee0ed57c0e0a382c2a37ebac64d374d20 (diff) | |
| parent | b937190c40de0f6f07f592042e3097b16c6b0130 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
of modules and firmware to be loaded from a specific device (this
is from ChromeOS, where the device as a whole is verified
cryptographically via dm-verity).
This is disabled by default but can be configured to be enabled by
default (don't do this if you don't know what you're doing).
- Keys: allow authentication data to be stored in an asymmetric key.
Lots of general fixes and updates.
- SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability
checks. Apply execstack check on thread stacks"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
LSM: LoadPin: provide enablement CONFIG
Yama: use atomic allocations when reporting
seccomp: Fix comment typo
ima: add support for creating files using the mknodat syscall
ima: fix ima_inode_post_setattr
vfs: forbid write access when reading a file into memory
fs: fix over-zealous use of "const"
selinux: apply execstack check on thread stacks
selinux: distinguish non-init user namespace capability checks
LSM: LoadPin for kernel file loading restrictions
fs: define a string representation of the kernel_read_file_id enumeration
Yama: consolidate error reporting
string_helpers: add kstrdup_quotable_file
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable
selinux: check ss_initialized before revalidating an inode label
selinux: delay inode label lookup as long as possible
selinux: don't revalidate an inode's label when explicitly setting it
selinux: Change bool variable name to index.
KEYS: Add KEYCTL_DH_COMPUTE command
...
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c index d17e4a6d269c..709569305d32 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -60,6 +60,7 @@ int __init security_init(void) | |||
| 60 | */ | 60 | */ |
| 61 | capability_add_hooks(); | 61 | capability_add_hooks(); |
| 62 | yama_add_hooks(); | 62 | yama_add_hooks(); |
| 63 | loadpin_add_hooks(); | ||
| 63 | 64 | ||
| 64 | /* | 65 | /* |
| 65 | * Load all the remaining security modules. | 66 | * Load all the remaining security modules. |
| @@ -1848,7 +1849,6 @@ struct security_hook_heads security_hook_heads = { | |||
| 1848 | .tun_dev_attach = | 1849 | .tun_dev_attach = |
| 1849 | LIST_HEAD_INIT(security_hook_heads.tun_dev_attach), | 1850 | LIST_HEAD_INIT(security_hook_heads.tun_dev_attach), |
| 1850 | .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open), | 1851 | .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open), |
| 1851 | .skb_owned_by = LIST_HEAD_INIT(security_hook_heads.skb_owned_by), | ||
| 1852 | #endif /* CONFIG_SECURITY_NETWORK */ | 1852 | #endif /* CONFIG_SECURITY_NETWORK */ |
| 1853 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 1853 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
| 1854 | .xfrm_policy_alloc_security = | 1854 | .xfrm_policy_alloc_security = |