Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...

Pull integrity updates from Mimi Zohar:
 "Four integrity changes: two IMA-overlay updates, an integrity Kconfig
  cleanup, and a secondary keyring update"

* tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: detect changes to the backing overlay file
  certs: Only allow certs signed by keys on the builtin keyring
  integrity: fix indentation of config attributes
  ima: annotate iint mutex to avoid lockdep false positive warnings

diff --cc fs/overlayfs/super.c
index 6cd949c59fed9f349484ff4b4de5712754ff4e22,c71d185980c08f1f36112be8c26c83b82b406d47..17864a8d2b85c4ff0b9339888daf9488f8998736
--- 1/fs/overlayfs/super.c
--- 2/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@@ -1496,16 -1488,8 +1496,16 @@@ int ovl_fill_super(struct super_block *
        sb->s_xattr = ofs->config.userxattr ? ovl_user_xattr_handlers :
                ovl_trusted_xattr_handlers;
        sb->s_fs_info = ofs;
 +#ifdef CONFIG_FS_POSIX_ACL
        sb->s_flags |= SB_POSIXACL;
-       sb->s_iflags |= SB_I_SKIP_SYNC | SB_I_IMA_UNVERIFIABLE_SIGNATURE;
 +#endif
+       sb->s_iflags |= SB_I_SKIP_SYNC;
 +      /*
 +       * Ensure that umask handling is done by the filesystems used
 +       * for the the upper layer instead of overlayfs as that would
 +       * lead to unexpected results.
 +       */
 +      sb->s_iflags |= SB_I_NOUMASK;
  
        err = -ENOMEM;
        root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);

diff --cc security/integrity/Kconfig
index b6e074ac022730cf4a1f6331379db3827b40e424,1e151e6a5d3fad463f521c26f6db1f7c6599aec3..3c45f4f3455fb652f3847132d8c3d7290a57c3fa
--- 1/security/integrity/Kconfig
--- 2/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@@ -68,11 -68,13 +68,11 @@@ config INTEGRITY_MACHINE_KEYRIN
        depends on INTEGRITY_ASYMMETRIC_KEYS
        depends on SYSTEM_BLACKLIST_KEYRING
        depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
 -      select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
 -      select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
        help
-        If set, provide a keyring to which Machine Owner Keys (MOK) may
-        be added. This keyring shall contain just MOK keys.  Unlike keys
-        in the platform keyring, keys contained in the .machine keyring will
-        be trusted within the kernel.
+         If set, provide a keyring to which Machine Owner Keys (MOK) may
+         be added. This keyring shall contain just MOK keys.  Unlike keys
+         in the platform keyring, keys contained in the .machine keyring will
+         be trusted within the kernel.
  
  config INTEGRITY_CA_MACHINE_KEYRING
        bool "Enforce Machine Keyring CA Restrictions"