user/sven/linux.git/Documentation/security, branch stable/4.3.y

Merge branch 'smack-for-4.3' of https://github.com/cschaufler/smack-next into next

2015-08-11T01:18:53Z

Smack: IPv6 host labeling

2015-07-28T13:35:21Z

IPv6 appears to be (finally) coming of age with the influx of autonomous devices. In support of this, add the ability to associate a Smack label with IPv6 addresses. This patch also cleans up some of the conditional compilation associated with the introduction of secmark processing. It's now more obvious which bit of code goes with which feature. Signed-off-by: Casey Schaufler

Yama: remove needless CONFIG_SECURITY_YAMA_STACKED

2015-07-28T03:18:19Z

Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded config for Yama to be made to explicitly stack. Just selecting the main Yama CONFIG will allow it to work, regardless of the major LSM. Since distros using Yama are already forcing it to stack, this is effectively a no-op change. Additionally add MAINTAINERS entry. Signed-off-by: Kees Cook Signed-off-by: James Morris

Smack: allow multiple labels in onlycap

2015-06-02T18:53:42Z

Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to processes running with the configured label. But having single privileged label is not enough in some real use cases. On a complex system like Tizen, there maybe few programs that need to configure Smack policy in run-time and running them all with a single label is not always practical. This patch extends onlycap feature for multiple labels. They are configured in the same smackfs "onlycap" interface, separated by spaces. Signed-off-by: Rafal Krypa

Smack: Updates for Smack documentation

2015-03-31T17:35:31Z

Document the Smack bringup features. Update the proper location for mounting smackfs from /smack to /sys/fs/smackfs. Fix some spelling errors. Suggest the use of the load2 interface instead of the load interface. Signed-off-by: Casey Schaufler

KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y

2015-01-22T22:34:32Z

Now that /proc/keys is used by libkeyutils to look up a key by type and description, we should make it unconditional and remove CONFIG_DEBUG_PROC_KEYS. Reported-by: Jiri Kosina Signed-off-by: David Howells Tested-by: Jiri Kosina

Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next

2014-11-19T10:36:07Z

Merge commit 'v3.17' into next

2014-11-19T10:32:12Z

ima: added support for new kernel cmdline parameter ima_template_fmt

2014-10-13T12:39:02Z

This patch allows users to provide a custom template format through the new kernel command line parameter 'ima_template_fmt'. If the supplied format is not valid, IMA uses the default template descriptor. Changelog: - v3: - added check for 'fields' and 'num_fields' in template_desc_init_fields() (suggested by Mimi Zohar) - v2: - using template_desc_init_fields() to validate a format string (Roberto Sassu) - updated documentation by stating that only the chosen template descriptor is initialized (Roberto Sassu) - v1: - simplified code of ima_template_fmt_setup() (Roberto Sassu, suggested by Mimi Zohar) Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

KEYS: Update the keyrings documentation for match changes

2014-09-16T16:36:09Z

Signed-off-by: David Howells Acked-by: Vivek Goyal