Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri...

Pull integrity updates from James Morris:
 "This adds support for EVM signatures based on larger digests, contains
  a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the
  IMA policy rules from the IMA-audit messages, addresses two deadlocks
  due to either loading or searching for crypto algorithms, and cleans
  up the audit messages"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: fix return value check in evm_write_xattrs()
  integrity: prevent deadlock during digsig verification.
  evm: Allow non-SHA1 digital signatures
  evm: Don't deadlock if a crypto algorithm is unavailable
  integrity: silence warning when CONFIG_SECURITYFS is not enabled
  ima: Differentiate auditing policy rules from "audit" actions
  ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
  ima: Use audit_log_format() rather than audit_log_string()
  ima: Call audit_log_string() rather than logging it untrusted

diff --combined include/uapi/linux/audit.h
index 4e3eaba,cf2bad8..818ae69
--- 1/include/uapi/linux/audit.h
--- 2/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@@ -148,6 -148,7 +148,7 @@@
  #define AUDIT_INTEGRITY_PCR       1804 /* PCR invalidation msgs */
  #define AUDIT_INTEGRITY_RULE      1805 /* policy rule */
  #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
+ #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
  
  #define AUDIT_KERNEL          2000    /* Asynchronous audit record. NOT A REQUEST. */
  
@@@ -157,8 -158,7 +158,8 @@@
  #define AUDIT_FILTER_ENTRY    0x02    /* Apply rule at syscall entry */
  #define AUDIT_FILTER_WATCH    0x03    /* Apply rule to file system watches */
  #define AUDIT_FILTER_EXIT     0x04    /* Apply rule at syscall exit */
 -#define AUDIT_FILTER_TYPE     0x05    /* Apply rule at audit_log_start */
 +#define AUDIT_FILTER_EXCLUDE  0x05    /* Apply rule before record creation */
 +#define AUDIT_FILTER_TYPE     AUDIT_FILTER_EXCLUDE /* obsolete misleading naming */
  #define AUDIT_FILTER_FS               0x06    /* Apply rule at __audit_inode_child */
  
  #define AUDIT_NR_FILTERS      7

diff --combined security/security.c
index ab4f963,dbca03d..47cfff0
--- 1/security/security.c
--- 2/security/security.c
+++ b/security/security.c
@@@ -972,11 -972,11 +972,11 @@@ int security_file_receive(struct file *
        return call_int_hook(file_receive, 0, file);
  }
  
 -int security_file_open(struct file *file, const struct cred *cred)
 +int security_file_open(struct file *file)
  {
        int ret;
  
 -      ret = call_int_hook(file_open, 0, file, cred);
 +      ret = call_int_hook(file_open, 0, file);
        if (ret)
                return ret;
  
@@@ -1032,7 -1032,12 +1032,12 @@@ int security_kernel_create_files_as(str
  
  int security_kernel_module_request(char *kmod_name)
  {
-       return call_int_hook(kernel_module_request, 0, kmod_name);
+       int ret;
+ 
+       ret = call_int_hook(kernel_module_request, 0, kmod_name);
+       if (ret)
+               return ret;
+       return integrity_kernel_module_request(kmod_name);
  }
  
  int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)