WireGuard for the Linux kernel https://git.zx2c4.com/wireguard-linux/atom/security?h=stable 2025-10-05T17:48:33Z 2025-10-05T17:48:33Z Linus Torvalds torvalds@linux-foundation.org 2025-10-05T17:48:33Z urn:sha1:678074f1a8e03598977bdeea10a4ce51c4f4a0c4 Pull integrity updates from Mimi Zohar: "Just a couple of changes: crypto code cleanup and a IMA xattr bug fix" * tag 'integrity-v6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr lib/digsig: Use SHA-1 library instead of crypto_shash integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS 2025-10-04T22:23:29Z Linus Torvalds torvalds@linux-foundation.org 2025-10-04T22:23:29Z urn:sha1:b4e5bb555594826bb98aaf8bcd9f957f0428cb07 Pull keys updates from Jarkko Sakkinen: "A few minor updates/fixes for keys" * tag 'keys-next-6.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: security: keys: use menuconfig for KEYS symbol KEYS: encrypted: Use SHA-256 library instead of crypto_shash KEYS: trusted_tpm1: Move private functionality out of public header KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shash KEYS: trusted_tpm1: Compare HMAC values in constant time 2025-10-04T14:25:35Z Randy Dunlap rdunlap@infradead.org 2025-09-27T18:14:20Z urn:sha1:8be70a8fc667c33e69257a72e8092f07c828241e Give the KEYS kconfig symbol and its associated symbols a separate menu space under Security options by using "menuconfig" instead of "config". This also makes it easier to find the security and LSM options. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 2025-10-04T14:25:35Z Eric Biggers ebiggers@kernel.org 2025-09-15T18:14:43Z urn:sha1:9b8d24a49fe83787208479d51f320cead25e856c Instead of the "sha256" crypto_shash, just use sha256(). Similarly, instead of the "hmac(sha256)" crypto_shash, just use hmac_sha256_usingrawkey(). This is simpler and faster. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> 2025-10-03T23:32:36Z Linus Torvalds torvalds@linux-foundation.org 2025-10-03T23:32:36Z urn:sha1:50647a1176b7abd1b4ae55b491eb2fbbeef89db9 Pull file->f_path constification from Al Viro: "Only one thing was modifying ->f_path of an opened file - acct(2). Massaging that away and constifying a bunch of struct path * arguments in functions that might be given &file->f_path ends up with the situation where we can turn ->f_path into an anon union of const struct path f_path and struct path __f_path, the latter modified only in a few places in fs/{file_table,open,namei}.c, all for struct file instances that are yet to be opened" * tag 'pull-f_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (23 commits) Have cc(1) catch attempts to modify ->f_path kernel/acct.c: saner struct file treatment configfs:get_target() - release path as soon as we grab configfs_item reference apparmor/af_unix: constify struct path * arguments ovl_is_real_file: constify realpath argument ovl_sync_file(): constify path argument ovl_lower_dir(): constify path argument ovl_get_verity_digest(): constify path argument ovl_validate_verity(): constify {meta,data}path arguments ovl_ensure_verity_loaded(): constify datapath argument ksmbd_vfs_set_init_posix_acl(): constify path argument ksmbd_vfs_inherit_posix_acl(): constify path argument ksmbd_vfs_kern_path_unlock(): constify path argument ksmbd_vfs_path_lookup_locked(): root_share_path can be const struct path * check_export(): constify path argument export_operations->open(): constify path argument rqst_exp_get_by_name(): constify path argument nfs: constify path argument of __vfs_getattr() bpf...d_path(): constify path argument done_path_create(): constify path argument ... 2025-10-03T18:14:02Z Linus Torvalds torvalds@linux-foundation.org 2025-10-03T18:14:02Z urn:sha1:33fc69a05c50f00f1218408a56348bcab95b831d Pull d_name audit update from Al Viro: "Simplifying ->d_name audits, easy part. Turn dentry->d_name into an anon union of const struct qsrt (d_name itself) and a writable alias (__d_name). With constification of some struct qstr * arguments of functions that get &dentry->d_name passed to them, that ends up with all modifications provably done only in fs/dcache.c (and a fairly small part of it). Any new places doing modifications will be easy to find - grep for __d_name will suffice" * tag 'pull-qstr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: make it easier to catch those who try to modify ->d_name generic_ci_validate_strict_name(): constify name argument afs_dir_search: constify qstr argument afs_edit_dir_{add,remove}(): constify qstr argument exfat_find(): constify qstr argument security_dentry_init_security(): constify qstr argument 2025-10-03T11:50:56Z Coiby Xu coxu@redhat.com 2025-09-15T05:55:23Z urn:sha1:88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; } Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2025-10-03T11:50:56Z Eric Biggers ebiggers@kernel.org 2025-08-15T02:17:32Z urn:sha1:1376956c5e9e7871978153a483904dc3238e96fb Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS, since INTEGRITY_ASYMMETRIC_KEYS selects several options that depend on CRYPTO. This unblocks the removal of the CRYPTO selection from SIGNATURE. SIGNATURE (lib/digsig.c) itself will no longer need CRYPTO, but INTEGRITY_ASYMMETRIC_KEYS was depending on it indirectly via the chain SIGNATURE => INTEGRITY_SIGNATURE => INTEGRITY_ASYMMETRIC_KEYS. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2025-10-02T15:57:03Z Linus Torvalds torvalds@linux-foundation.org 2025-10-02T15:57:03Z urn:sha1:77633c77eee37ddc160493a4cf6070c166f47dc0 Pull bitmap updates from Yury Norov: - FIELD_PREP_WM16() consolidation (Nicolas) - bitmaps for Rust (Burak) - __fls() fix for arc (Kees) * tag 'bitmap-for-6.18' of https://github.com/norov/linux: (25 commits) rust: add dynamic ID pool abstraction for bitmap rust: add find_bit_benchmark_rust module. rust: add bitmap API. rust: add bindings for bitops.h rust: add bindings for bitmap.h phy: rockchip-pcie: switch to FIELD_PREP_WM16 macro clk: sp7021: switch to FIELD_PREP_WM16 macro PCI: dw-rockchip: Switch to FIELD_PREP_WM16 macro PCI: rockchip: Switch to FIELD_PREP_WM16* macros net: stmmac: dwmac-rk: switch to FIELD_PREP_WM16 macro ASoC: rockchip: i2s-tdm: switch to FIELD_PREP_WM16_CONST macro drm/rockchip: dw_hdmi: switch to FIELD_PREP_WM16* macros phy: rockchip-usb: switch to FIELD_PREP_WM16 macro drm/rockchip: inno-hdmi: switch to FIELD_PREP_WM16 macro drm/rockchip: dw_hdmi_qp: switch to FIELD_PREP_WM16 macro phy: rockchip-samsung-dcphy: switch to FIELD_PREP_WM16 macro drm/rockchip: vop2: switch to FIELD_PREP_WM16 macro drm/rockchip: dsi: switch to FIELD_PREP_WM16* macros phy: rockchip-emmc: switch to FIELD_PREP_WM16 macro drm/rockchip: lvds: switch to FIELD_PREP_WM16 macro ... 2025-09-30T15:48:29Z Linus Torvalds torvalds@linux-foundation.org 2025-09-30T15:48:29Z urn:sha1:76f01a4f22c465bdb63ee19aaf5b682c5893ba96 Pull lsm updates from Paul Moore: - Move the management of the LSM BPF security blobs into the framework In order to enable multiple LSMs we need to allocate and free the various security blobs in the LSM framework and not the individual LSMs as they would end up stepping all over each other. - Leverage the lsm_bdev_alloc() helper in lsm_bdev_alloc() Make better use of our existing helper functions to reduce some code duplication. - Update the Rust cred code to use 'sync::aref' Part of a larger effort to move the Rust code over to the 'sync' module. - Make CONFIG_LSM dependent on CONFIG_SECURITY As the CONFIG_LSM Kconfig setting is an ordered list of the LSMs to enable a boot, it obviously doesn't make much sense to enable this when CONFIG_SECURITY is disabled. - Update the LSM and CREDENTIALS sections in MAINTAINERS with Rusty bits Add the Rust helper files to the associated LSM and CREDENTIALS entries int the MAINTAINERS file. We're trying to improve the communication between the two groups and making sure we're all aware of what is going on via cross-posting to the relevant lists is a good way to start. * tag 'lsm-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: CONFIG_LSM can depend on CONFIG_SECURITY MAINTAINERS: add the associated Rust helper to the CREDENTIALS section MAINTAINERS: add the associated Rust helper to the LSM section rust,cred: update AlwaysRefCounted import to sync::aref security: use umax() to improve code lsm,selinux: Add LSM blob support for BPF objects lsm: use lsm_blob_alloc() in lsm_bdev_alloc()