Linux kernel tree for laptop https://git.zx2c4.com/laptop-kernel/atom/Documentation/admin-guide/LSM?h=master 2025-06-18T19:12:54Z 2025-06-18T19:12:54Z Stephen Smalley stephen.smalley.work@gmail.com 2025-06-17T14:39:07Z urn:sha1:17bd3c01667aafaa267e64be70f9627e287ec210 Add links to the SELinux kernel subsystem README.md file, the SELinux kernel wiki, and the SELinux userspace wiki to the SELinux guide. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> [PM: spacing and style corrections, subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-05-28T01:08:51Z Jasjiv Singh jasjivsingh@linux.microsoft.com 2025-03-13T21:51:01Z urn:sha1:1d887d6f810dbf908da9709393c95ae1a649d587 Users of IPE require a way to identify when and why an operation fails, allowing them to both respond to violations of policy and be notified of potentially malicious actions on their systems with respect to IPE. This patch introduces a new error field to the AUDIT_IPE_POLICY_LOAD event to log policy loading failures. Currently, IPE only logs successful policy loads, but not failures. Tracking failures is crucial to detect malicious attempts and ensure a complete audit trail for security events. The new error field will capture the following error codes: * -ENOKEY: Key used to sign the IPE policy not found in the keyring * -ESTALE: Attempting to update an IPE policy with an older version * -EKEYREJECTED: IPE signature verification failed * -ENOENT: Policy was deleted while updating * -EEXIST: Same name policy already deployed * -ERANGE: Policy version number overflow * -EINVAL: Policy version parsing error * -EPERM: Insufficient permission * -ENOMEM: Out of memory (OOM) * -EBADMSG: Policy is invalid Here are some examples of the updated audit record types: AUDIT_IPE_POLICY_LOAD(1422): audit: AUDIT1422 policy_name="Test_Policy" policy_version=0.0.1 policy_digest=sha256:84EFBA8FA71E62AE0A537FAB962F8A2BD1053964C4299DCA 92BFFF4DB82E86D3 auid=1000 ses=3 lsm=ipe res=1 errno=0 The above record shows a new policy has been successfully loaded into the kernel with the policy name, version, and hash with the errno=0. AUDIT_IPE_POLICY_LOAD(1422) with error: audit: AUDIT1422 policy_name=? policy_version=? policy_digest=? auid=1000 ses=3 lsm=ipe res=0 errno=-74 The above record shows a policy load failure due to an invalid policy (-EBADMSG). By adding this error field, we ensure that all policy load attempts, whether successful or failed, are logged, providing a comprehensive audit trail for IPE policy management. Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@kernel.org> 2025-03-26T12:59:49Z Mickaël Salaün mic@digikod.net 2025-03-20T19:07:17Z urn:sha1:8e2dd47b10e77452733eae23cc83078fa29c1e9a Because audit is dedicated to the system administrator, create a new entry in Documentation/admin-guide/LSM . Extend other Landlock documentation's pages with this new one. Extend UAPI with the new log flags. Extend the guiding principles with logs. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-29-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-11-27T03:21:06Z Siddharth Menon simeddon@gmail.com 2024-10-02T09:49:40Z urn:sha1:d00c2359fc1852258d8ce218cf2f509086da720c After the deprecation of CONFIG_DEFAULT_SECURITY, it is no longer used to enable and configure AppArmor. Since kernel 5.0, `CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE` is not used either. Instead, the CONFIG_LSM parameter manages the order and selection of LSMs. Signed-off-by: Siddharth Menon <simeddon@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2024-10-17T18:46:10Z Luca Boccassi bluca@debian.org 2024-09-15T09:11:19Z urn:sha1:02e2f9aa33e461468de02e35ad977bd7233960ae The current policy management makes it impossible to use IPE in a general purpose distribution. In such cases the users are not building the kernel, the distribution is, and access to the private key included in the trusted keyring is, for obvious reason, not available. This means that users have no way to enable IPE, since there will be no built-in generic policy, and no access to the key to sign updates validated by the trusted keyring. Just as we do for dm-verity, kernel modules and more, allow the secondary and platform keyrings to also validate policies. This allows users enrolling their own keys in UEFI db or MOK to also sign policies, and enroll them. This makes it sensible to enable IPE in general purpose distributions, as it becomes usable by any user wishing to do so. Keys in these keyrings can already load kernels and kernel modules, so there is no security downgrade. Add a kconfig each, like dm-verity does, but default to enabled if the dependencies are available. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> [FW: fixed some style issues] Signed-off-by: Fan Wu <wufan@kernel.org> 2024-10-17T18:38:15Z Luca Boccassi bluca@debian.org 2024-09-25T21:01:34Z urn:sha1:5ceecb301e50e933c1e621fbeea5ec239fbff858 Currently IPE accepts an update that has the same version as the policy being updated, but it doesn't make it a no-op nor it checks that the old and new policyes are the same. So it is possible to change the content of a policy, without changing its version. This is very confusing from userspace when managing policies. Instead change the update logic to reject updates that have the same version with ESTALE, as that is much clearer and intuitive behaviour. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Fan Wu <wufan@kernel.org> 2024-08-20T18:03:47Z Deven Bowers deven.desai@linux.microsoft.com 2024-08-03T06:08:33Z urn:sha1:ac6731870ed943c7c6a8d4114b3ccaddfbdf7d58 Add IPE's admin and developer documentation to the kernel tree. Co-developed-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-06-03T13:43:11Z Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2024-06-03T13:43:11Z urn:sha1:c6144a21169fe7d0d70f1a0dae6f6301e5918d30 TOMOYO project has moved to SourceForge.net . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2021-03-15T19:32:32Z Jiele zhao unclexiaole@gmail.com 2021-03-08T02:03:58Z urn:sha1:0860b72d535f869e26252df66d4f634e1655f84a Loadpin cmdline interface "enabled" has been renamed to "enforce" for a long time, but the User Description Document was not updated. (Meaning unchanged) And kernel_read_file* were moved from linux/fs.h to its own linux/kernel_read_file.h include file. So update that change here. Signed-off-by: Jiele zhao <unclexiaole@gmail.com> Link: https://lore.kernel.org/r/20210308020358.102836-1-unclexiaole@gmail.com Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-10-28T17:42:02Z Mauro Carvalho Chehab mchehab+huawei@kernel.org 2020-10-27T09:51:36Z urn:sha1:afc74ce7b484da5c5698d8eb2472a58c547cbc2b As reported by Sphinx 2.4.4: docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short. Note on GID policies and setgroups() ================== Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org Signed-off-by: Jonathan Corbet <corbet@lwn.net>