From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@suse.com>,
kexec@lists.infradead.org, linux-modules@vger.kernel.org,
fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Biederman <ebiederm@xmission.com>,
Rusty Russell <rusty@rustcorp.com.au>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel
Date: Wed, 3 Feb 2016 14:06:15 -0500 [thread overview]
Message-ID: <1454526390-19792-8-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1454526390-19792-1-git-send-email-zohar@linux.vnet.ibm.com>
For a while it was looked down upon to directly read files from Linux.
These days there exists a few mechanisms in the kernel that do just
this though to load a file into a local buffer. There are minor but
important checks differences on each. This patch set is the first
attempt at resolving some of these differences.
This patch introduces a common function for reading files from the kernel
with the corresponding security post-read hook and function.
Changelog v3:
- additional bounds checking - Luis
v2:
- To simplify patch review, re-ordered patches
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com>
---
fs/exec.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
include/linux/fs.h | 1 +
include/linux/lsm_hooks.h | 9 ++++++++
include/linux/security.h | 7 +++++++
security/security.c | 7 +++++++
5 files changed, 77 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index b06623a..742de7a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,6 +56,7 @@
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/compat.h>
+#include <linux/vmalloc.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -831,6 +832,58 @@ int kernel_read(struct file *file, loff_t offset,
EXPORT_SYMBOL(kernel_read);
+int kernel_read_file(struct file *file, void **buf, loff_t *size,
+ loff_t max_size)
+{
+ loff_t i_size, pos;
+ ssize_t bytes = 0;
+ int ret;
+
+ if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
+ return -EINVAL;
+
+ i_size = i_size_read(file_inode(file));
+ if (max_size > 0 && i_size > max_size)
+ return -EFBIG;
+ if (i_size <= 0)
+ return -EINVAL;
+
+ *buf = vmalloc(i_size);
+ if (!*buf)
+ return -ENOMEM;
+
+ pos = 0;
+ while (pos < i_size) {
+ bytes = kernel_read(file, pos, (char *)(*buf) + pos,
+ i_size - pos);
+ if (bytes < 0) {
+ ret = bytes;
+ goto out;
+ }
+
+ if (bytes == 0)
+ break;
+ pos += bytes;
+ }
+
+ if (pos != i_size) {
+ ret = -EIO;
+ goto out;
+ }
+
+ ret = security_kernel_post_read_file(file, *buf, i_size);
+ if (!ret)
+ *size = pos;
+
+out:
+ if (ret < 0) {
+ vfree(*buf);
+ *buf = NULL;
+ }
+ return ret;
+}
+EXPORT_SYMBOL_GPL(kernel_read_file);
+
ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len)
{
ssize_t res = vfs_read(file, (void __user *)addr, len, &pos);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 3aa5142..93ca379 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2527,6 +2527,7 @@ static inline void i_readcount_inc(struct inode *inode)
extern int do_pipe_flags(int *, int);
extern int kernel_read(struct file *, loff_t, char *, unsigned long);
+extern int kernel_read_file(struct file *, void **, loff_t *, loff_t);
extern ssize_t kernel_write(struct file *, const char *, size_t, loff_t);
extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
extern struct file * open_exec(const char *);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 71969de..f82631c 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -561,6 +561,13 @@
* the kernel module to load. If the module is being loaded from a blob,
* this argument will be NULL.
* Return 0 if permission is granted.
+ * @kernel_post_read_file:
+ * Read a file specified by userspace.
+ * @file contains the file structure pointing to the file being read
+ * by the kernel.
+ * @buf pointer to buffer containing the file contents.
+ * @size length of the file contents.
+ * Return 0 if permission is granted.
* @task_fix_setuid:
* Update the module's state after setting one or more of the user
* identity attributes of the current process. The @flags parameter
@@ -1457,6 +1464,7 @@ union security_list_options {
int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
int (*kernel_module_request)(char *kmod_name);
int (*kernel_module_from_file)(struct file *file);
+ int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size);
int (*task_fix_setuid)(struct cred *new, const struct cred *old,
int flags);
int (*task_setpgid)(struct task_struct *p, pid_t pgid);
@@ -1716,6 +1724,7 @@ struct security_hook_heads {
struct list_head kernel_act_as;
struct list_head kernel_create_files_as;
struct list_head kernel_fw_from_file;
+ struct list_head kernel_post_read_file;
struct list_head kernel_module_request;
struct list_head kernel_module_from_file;
struct list_head task_fix_setuid;
diff --git a/include/linux/security.h b/include/linux/security.h
index 4824a4c..f30f564 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -301,6 +301,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_fw_from_file(struct file *file, char *buf, size_t size);
int security_kernel_module_request(char *kmod_name);
int security_kernel_module_from_file(struct file *file);
+int security_kernel_post_read_file(struct file *file, char *buf, loff_t size);
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags);
int security_task_setpgid(struct task_struct *p, pid_t pgid);
@@ -866,6 +867,12 @@ static inline int security_kernel_module_from_file(struct file *file)
return 0;
}
+static inline int security_kernel_post_read_file(struct file *file,
+ char *buf, loff_t size)
+{
+ return 0;
+}
+
static inline int security_task_fix_setuid(struct cred *new,
const struct cred *old,
int flags)
diff --git a/security/security.c b/security/security.c
index e8ffd92..ae50730 100644
--- a/security/security.c
+++ b/security/security.c
@@ -910,6 +910,11 @@ int security_kernel_module_from_file(struct file *file)
return ima_module_check(file);
}
+int security_kernel_post_read_file(struct file *file, char *buf, loff_t size)
+{
+ return call_int_hook(kernel_post_read_file, 0, file, buf, size);
+}
+
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
@@ -1697,6 +1702,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
.kernel_module_from_file =
LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file),
+ .kernel_post_read_file =
+ LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
.task_fix_setuid =
LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
.task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
--
2.1.0
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@suse.com>,
kexec@lists.infradead.org, linux-modules@vger.kernel.org,
fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Biederman <ebiederm@xmission.com>,
Rusty Russell <rusty@rustcorp.com.au>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel
Date: Wed, 3 Feb 2016 14:06:15 -0500 [thread overview]
Message-ID: <1454526390-19792-8-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1454526390-19792-1-git-send-email-zohar@linux.vnet.ibm.com>
For a while it was looked down upon to directly read files from Linux.
These days there exists a few mechanisms in the kernel that do just
this though to load a file into a local buffer. There are minor but
important checks differences on each. This patch set is the first
attempt at resolving some of these differences.
This patch introduces a common function for reading files from the kernel
with the corresponding security post-read hook and function.
Changelog v3:
- additional bounds checking - Luis
v2:
- To simplify patch review, re-ordered patches
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com>
---
fs/exec.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
include/linux/fs.h | 1 +
include/linux/lsm_hooks.h | 9 ++++++++
include/linux/security.h | 7 +++++++
security/security.c | 7 +++++++
5 files changed, 77 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index b06623a..742de7a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,6 +56,7 @@
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/compat.h>
+#include <linux/vmalloc.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -831,6 +832,58 @@ int kernel_read(struct file *file, loff_t offset,
EXPORT_SYMBOL(kernel_read);
+int kernel_read_file(struct file *file, void **buf, loff_t *size,
+ loff_t max_size)
+{
+ loff_t i_size, pos;
+ ssize_t bytes = 0;
+ int ret;
+
+ if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
+ return -EINVAL;
+
+ i_size = i_size_read(file_inode(file));
+ if (max_size > 0 && i_size > max_size)
+ return -EFBIG;
+ if (i_size <= 0)
+ return -EINVAL;
+
+ *buf = vmalloc(i_size);
+ if (!*buf)
+ return -ENOMEM;
+
+ pos = 0;
+ while (pos < i_size) {
+ bytes = kernel_read(file, pos, (char *)(*buf) + pos,
+ i_size - pos);
+ if (bytes < 0) {
+ ret = bytes;
+ goto out;
+ }
+
+ if (bytes == 0)
+ break;
+ pos += bytes;
+ }
+
+ if (pos != i_size) {
+ ret = -EIO;
+ goto out;
+ }
+
+ ret = security_kernel_post_read_file(file, *buf, i_size);
+ if (!ret)
+ *size = pos;
+
+out:
+ if (ret < 0) {
+ vfree(*buf);
+ *buf = NULL;
+ }
+ return ret;
+}
+EXPORT_SYMBOL_GPL(kernel_read_file);
+
ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len)
{
ssize_t res = vfs_read(file, (void __user *)addr, len, &pos);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 3aa5142..93ca379 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2527,6 +2527,7 @@ static inline void i_readcount_inc(struct inode *inode)
extern int do_pipe_flags(int *, int);
extern int kernel_read(struct file *, loff_t, char *, unsigned long);
+extern int kernel_read_file(struct file *, void **, loff_t *, loff_t);
extern ssize_t kernel_write(struct file *, const char *, size_t, loff_t);
extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
extern struct file * open_exec(const char *);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 71969de..f82631c 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -561,6 +561,13 @@
* the kernel module to load. If the module is being loaded from a blob,
* this argument will be NULL.
* Return 0 if permission is granted.
+ * @kernel_post_read_file:
+ * Read a file specified by userspace.
+ * @file contains the file structure pointing to the file being read
+ * by the kernel.
+ * @buf pointer to buffer containing the file contents.
+ * @size length of the file contents.
+ * Return 0 if permission is granted.
* @task_fix_setuid:
* Update the module's state after setting one or more of the user
* identity attributes of the current process. The @flags parameter
@@ -1457,6 +1464,7 @@ union security_list_options {
int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
int (*kernel_module_request)(char *kmod_name);
int (*kernel_module_from_file)(struct file *file);
+ int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size);
int (*task_fix_setuid)(struct cred *new, const struct cred *old,
int flags);
int (*task_setpgid)(struct task_struct *p, pid_t pgid);
@@ -1716,6 +1724,7 @@ struct security_hook_heads {
struct list_head kernel_act_as;
struct list_head kernel_create_files_as;
struct list_head kernel_fw_from_file;
+ struct list_head kernel_post_read_file;
struct list_head kernel_module_request;
struct list_head kernel_module_from_file;
struct list_head task_fix_setuid;
diff --git a/include/linux/security.h b/include/linux/security.h
index 4824a4c..f30f564 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -301,6 +301,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_fw_from_file(struct file *file, char *buf, size_t size);
int security_kernel_module_request(char *kmod_name);
int security_kernel_module_from_file(struct file *file);
+int security_kernel_post_read_file(struct file *file, char *buf, loff_t size);
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags);
int security_task_setpgid(struct task_struct *p, pid_t pgid);
@@ -866,6 +867,12 @@ static inline int security_kernel_module_from_file(struct file *file)
return 0;
}
+static inline int security_kernel_post_read_file(struct file *file,
+ char *buf, loff_t size)
+{
+ return 0;
+}
+
static inline int security_task_fix_setuid(struct cred *new,
const struct cred *old,
int flags)
diff --git a/security/security.c b/security/security.c
index e8ffd92..ae50730 100644
--- a/security/security.c
+++ b/security/security.c
@@ -910,6 +910,11 @@ int security_kernel_module_from_file(struct file *file)
return ima_module_check(file);
}
+int security_kernel_post_read_file(struct file *file, char *buf, loff_t size)
+{
+ return call_int_hook(kernel_post_read_file, 0, file, buf, size);
+}
+
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
@@ -1697,6 +1702,8 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
.kernel_module_from_file =
LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file),
+ .kernel_post_read_file =
+ LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
.task_fix_setuid =
LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
.task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
--
2.1.0
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-02-03 19:08 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:45 ` Petko Manolov
2016-02-07 19:45 ` Petko Manolov
2016-02-10 19:33 ` Dmitry Kasatkin
2016-02-10 19:33 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:46 ` Petko Manolov
2016-02-07 19:46 ` Petko Manolov
2016-02-10 19:35 ` Dmitry Kasatkin
2016-02-10 19:35 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:26 ` Kees Cook
2016-02-04 17:26 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:27 ` Kees Cook
2016-02-04 17:27 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:36 ` Kees Cook
2016-02-04 17:36 ` Kees Cook
2016-02-04 20:26 ` Luis R. Rodriguez
2016-02-04 20:26 ` Luis R. Rodriguez
2016-02-03 19:06 ` Mimi Zohar [this message]
2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-02-04 17:41 ` Kees Cook
2016-02-04 17:41 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:41 ` Kees Cook
2016-02-04 17:41 ` Kees Cook
2016-02-04 19:45 ` Luis R. Rodriguez
2016-02-04 19:45 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-10 19:58 ` Dmitry Kasatkin
2016-02-10 19:58 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-10 20:27 ` Dmitry Kasatkin
2016-02-10 20:27 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:46 ` Kees Cook
2016-02-04 17:46 ` Kees Cook
2016-02-04 19:47 ` Luis R. Rodriguez
2016-02-04 19:47 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:56 ` Kees Cook
2016-02-04 17:56 ` Kees Cook
2016-02-04 19:51 ` Luis R. Rodriguez
2016-02-04 19:51 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:57 ` Kees Cook
2016-02-04 17:57 ` Kees Cook
2016-02-04 19:54 ` Luis R. Rodriguez
2016-02-04 19:54 ` Luis R. Rodriguez
2016-02-11 16:54 ` Casey Schaufler
2016-02-11 16:54 ` Casey Schaufler
2016-02-11 19:35 ` Mimi Zohar
2016-02-11 19:35 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:58 ` Kees Cook
2016-02-04 17:58 ` Kees Cook
2016-02-04 19:55 ` Luis R. Rodriguez
2016-02-04 19:55 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 18:04 ` Kees Cook
2016-02-04 18:04 ` Kees Cook
2016-02-04 19:56 ` Luis R. Rodriguez
2016-02-04 19:56 ` Luis R. Rodriguez
2016-02-05 0:19 ` Mimi Zohar
2016-02-05 0:19 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:56 ` Petko Manolov
2016-02-07 19:56 ` Petko Manolov
2016-02-10 20:18 ` Dmitry Kasatkin
2016-02-10 20:18 ` Dmitry Kasatkin
2016-02-10 23:14 ` Mimi Zohar
2016-02-10 23:14 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 18:05 ` Kees Cook
2016-02-04 18:05 ` Kees Cook
2016-02-04 19:57 ` Luis R. Rodriguez
2016-02-04 19:57 ` Luis R. Rodriguez
2016-02-12 12:50 ` Dave Young
2016-02-12 12:50 ` Dave Young
2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:10 ` Petko Manolov
2016-02-07 20:10 ` Petko Manolov
2016-02-08 23:34 ` Mimi Zohar
2016-02-08 23:34 ` Mimi Zohar
2016-02-10 21:09 ` Dmitry Kasatkin
2016-02-10 21:09 ` Dmitry Kasatkin
2016-02-10 23:21 ` Mimi Zohar
2016-02-10 23:21 ` Mimi Zohar
[not found] ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com>
2016-02-11 2:08 ` Mimi Zohar
2016-02-11 2:08 ` Mimi Zohar
2016-02-11 8:47 ` Dmitry Kasatkin
2016-02-11 8:47 ` Dmitry Kasatkin
2016-02-11 12:16 ` Mimi Zohar
2016-02-11 12:16 ` Mimi Zohar
2016-02-12 12:53 ` Dave Young
2016-02-12 12:53 ` Dave Young
2016-02-12 13:09 ` Mimi Zohar
2016-02-12 13:09 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:59 ` Petko Manolov
2016-02-07 19:59 ` Petko Manolov
2016-02-08 9:58 ` Dmitry Kasatkin
2016-02-08 9:58 ` Dmitry Kasatkin
2016-02-08 10:35 ` Petko Manolov
2016-02-08 10:35 ` Petko Manolov
2016-02-08 10:45 ` Dmitry Kasatkin
2016-02-08 10:45 ` Dmitry Kasatkin
2016-02-08 21:12 ` Mimi Zohar
2016-02-08 21:12 ` Mimi Zohar
2016-02-09 7:47 ` Petko Manolov
2016-02-09 7:47 ` Petko Manolov
2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:01 ` Petko Manolov
2016-02-07 20:01 ` Petko Manolov
2016-02-10 20:22 ` Dmitry Kasatkin
2016-02-10 20:22 ` Dmitry Kasatkin
2016-02-10 23:15 ` Mimi Zohar
2016-02-10 23:15 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:02 ` Petko Manolov
2016-02-07 20:02 ` Petko Manolov
2016-02-10 20:24 ` Dmitry Kasatkin
2016-02-10 20:24 ` Dmitry Kasatkin
2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook
2016-02-04 18:15 ` Kees Cook
2016-02-04 23:54 ` Mimi Zohar
2016-02-04 23:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454526390-19792-8-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.