Merge tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...

Pull integrity update from Mimi Zohar:
 "One doc and one code cleanup, and two bug fixes"

* tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Introduce MMAP_CHECK_REQPROT hook
  ima: Align ima_file_mmap() parameters with mmap_file LSM hook
  evm: call dump_security_xattr() in all cases to remove code duplication
  ima: fix ima_delete_rules() kernel-doc warning
  ima: return IMA digest value only when IMA_COLLECTED flag is set
  ima: fix error handling logic when file measurement failed

diff --cc include/linux/ima.h
index 172b113a98642d11f96dafa1cd623e9a3d8c2f81,d79fee67235eeb11f25274eeccb2322eb771da97..86b57757c7b1004abc4d122e0fd555d739678fad
--- 1/include/linux/ima.h
--- 2/include/linux/ima.h
+++ b/include/linux/ima.h
@@@ -18,10 -18,11 +18,11 @@@ struct linux_binprm
  extern enum hash_algo ima_get_current_hash_algo(void);
  extern int ima_bprm_check(struct linux_binprm *bprm);
  extern int ima_file_check(struct file *file, int mask);
 -extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
 +extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,
                                    struct inode *inode);
  extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
+ extern int ima_file_mmap(struct file *file, unsigned long reqprot,
+                        unsigned long prot, unsigned long flags);
  extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
  extern int ima_load_data(enum kernel_load_data_id id, bool contents);
  extern int ima_post_load_data(char *buf, loff_t size,

diff --cc security/integrity/evm/evm_crypto.c
index 52b811da6989cbd69c18f636345fbca1517a17e5,0fe6c9cd8eab41350ed4c113a73e9a0866da3a04..033804f5a5f20daeceb048797e0094a3849d8d45
--- 1/security/integrity/evm/evm_crypto.c
--- 2/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@@ -254,18 -264,12 +264,12 @@@ static int evm_calc_hmac_or_hash(struc
                        if (is_ima)
                                ima_present = true;
  
-                       if (req_xattr_value_len < 64)
-                               pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name,
-                                        req_xattr_value_len,
-                                        (int)req_xattr_value_len,
-                                        req_xattr_value);
-                       else
-                               dump_security_xattr(req_xattr_name,
-                                                   req_xattr_value,
-                                                   req_xattr_value_len);
+                       dump_security_xattr(req_xattr_name,
+                                           req_xattr_value,
+                                           req_xattr_value_len);
                        continue;
                }
 -              size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr->name,
 +              size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name,
                                          &xattr_value, xattr_size, GFP_NOFS);
                if (size == -ENOMEM) {
                        error = -ENOMEM;

diff --cc security/integrity/ima/ima.h
Simple merge

diff --cc security/integrity/ima/ima_api.c
Simple merge

diff --cc security/integrity/ima/ima_appraise.c
Simple merge

diff --cc security/integrity/ima/ima_main.c
index 358578267feaa448aaa2598ec3f9c8b1cb93a7fb,31ab86f7e4d3001be442a9e796ad25bc54fd889e..d66a0a36415e8cb495162e39521abdd559c05141
--- 1/security/integrity/ima/ima_main.c
--- 2/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -224,10 -225,11 +225,11 @@@ static int process_measurement(struct f
         * bitmask based on the appraise/audit/measurement policy.
         * Included is the appraise submask.
         */
 -      action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid,
 +      action = ima_get_action(file_mnt_idmap(file), inode, cred, secid,
                                mask, func, &pcr, &template_desc, NULL,
                                &allowed_algos);
-       violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
+       violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
+                           func == MMAP_CHECK_REQPROT) &&
                           (ima_policy_flag & IMA_MEASURE));
        if (!action && !violation_check)
                return 0;
@@@ -451,9 -467,13 +467,13 @@@ int ima_file_mprotect(struct vm_area_st
  
        security_current_getsecid_subj(&secid);
        inode = file_inode(vma->vm_file);
 -      action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
 +      action = ima_get_action(file_mnt_idmap(vma->vm_file), inode,
                                current_cred(), secid, MAY_EXEC, MMAP_CHECK,
                                &pcr, &template, NULL, NULL);
 -      action |= ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
++      action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode,
+                                current_cred(), secid, MAY_EXEC,
+                                MMAP_CHECK_REQPROT, &pcr, &template, NULL,
+                                NULL);
  
        /* Is the mmap'ed file in policy? */
        if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))

diff --cc security/integrity/ima/ima_policy.c
Simple merge

diff --cc security/security.c
Simple merge