From: Djalal Harouni <tixxdz@gmail.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
kernel-hardening@lists.openwall.com,
linux-security-module@vger.kernel.org
Cc: Linux API <linux-api@vger.kernel.org>,
Dongsu Park <dpark@posteo.net>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <james.l.morris@oracle.com>, <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Djalal Harouni <tixxdz@gmail.com>
Subject: [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation
Date: Sun, 9 Apr 2017 12:42:10 +0200 [thread overview]
Message-ID: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> (raw)
In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz@gmail.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
Documentation/security/00-INDEX | 2 +
Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+)
create mode 100644 Documentation/security/ModAutoRestrict.txt
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 45c82fd..35dbdf0 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -24,3 +24,5 @@ tomoyo.txt
- documentation on the TOMOYO Linux Security Module.
IMA-templates.txt
- documentation on the template management mechanism for IMA.
+ModAutoRestrict.txt
+ - documentation on the ModAutoRestrict Linux Security Module.
diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt
new file mode 100644
index 0000000..47acae8
--- /dev/null
+++ b/Documentation/security/ModAutoRestrict.txt
@@ -0,0 +1,77 @@
+ModAutoRestrict is a Linux Security Module that applies restrictions on
+automatic module loading operations. This is selectable at build-time
+with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time
+through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a
+per-process setting via a prctl() interface.
+
+===========================================
+
+A userspace request to use a kernel feature that is implemented by modules
+that are not loaded may trigger the module auto-load feature to load
+these modules in order to satisfy userspace. However as today's Linux use
+cases cover embedded systems to containers where applications are running
+in their own separate environments, reducing or preventing operations
+that may affect external environments is an important constraint.
+Therefore, we need a way to control if automatic module loading is
+allowed or which applications are allowed to trigger the module
+auto-load feature.
+
+The ModAutoRestrict LSM allows system administrators or sandbox
+mechanisms to control the module auto-load feature and prevent loading
+unneeded modules or abuse the interface.
+
+The settings can be applied globally using a sysctl interface which
+completes the core kernel interface "modules_disable".
+
+The feature is also available as a prctl() interface. This allows to
+apply restrictions when sandboxing processes. On embedded Linux systems,
+or containers where only some containers/processes should have the
+right privileges to load modules, this allows to restrict those
+processes from inserting modules. Only privileged processes can be
+allowed to perform so. A more restrictive access can be applied where
+the module autoload feature is completely disabled.
+In this schema the access rules are per-process and inherited by
+children created by fork(2) and clone(2), and preserved across execve(2).
+
+Interface:
+
+*) The per-process prctl() settings are:
+
+ prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0)
+
+ Where value means:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - The current process must have CAP_SYS_MODULE to be able to
+ auto-load modules. CAP_NET_ADMIN should allow to auto-load
+ modules with a 'netdev-%s' alias.
+
+ 2 - Current process can not auto-load modules. Once set, this prctl
+ value can not be changed.
+
+ The per-process value may only be increased, never decreased, thus ensuring
+ that once applied, processes can never relaxe their setting.
+
+*) The global sysctl setting can be set by writting an integer value to
+ '/proc/sys/kernel/modautorestrict/autoload'
+
+ The valid values are:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules.
+ CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s'
+ alias.
+
+ 2 - Processes can not auto-load modules. Once set, this sysctl value
+ can not be changed.
+
+*) Access rules:
+ First the prctl() settings are checked, if the access is not denied
+ then the global sysctl settings are checked.
+
+
+The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'.
+
+==========================================================================
--
2.10.2
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Dongsu Park <dpark-VwIFZPTo/vqsTnJN9+BGXg@public.gmane.org>,
Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org,
Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>,
Tetsuo Handa
<penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>,
Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
Djalal Harouni <tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation
Date: Sun, 9 Apr 2017 12:42:10 +0200 [thread overview]
Message-ID: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> (raw)
In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: James Morris <james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
Cc: Tetsuo Handa <penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>
Cc: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: Djalal Harouni <tixxdz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
Documentation/security/00-INDEX | 2 +
Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+)
create mode 100644 Documentation/security/ModAutoRestrict.txt
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 45c82fd..35dbdf0 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -24,3 +24,5 @@ tomoyo.txt
- documentation on the TOMOYO Linux Security Module.
IMA-templates.txt
- documentation on the template management mechanism for IMA.
+ModAutoRestrict.txt
+ - documentation on the ModAutoRestrict Linux Security Module.
diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt
new file mode 100644
index 0000000..47acae8
--- /dev/null
+++ b/Documentation/security/ModAutoRestrict.txt
@@ -0,0 +1,77 @@
+ModAutoRestrict is a Linux Security Module that applies restrictions on
+automatic module loading operations. This is selectable at build-time
+with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time
+through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a
+per-process setting via a prctl() interface.
+
+===========================================
+
+A userspace request to use a kernel feature that is implemented by modules
+that are not loaded may trigger the module auto-load feature to load
+these modules in order to satisfy userspace. However as today's Linux use
+cases cover embedded systems to containers where applications are running
+in their own separate environments, reducing or preventing operations
+that may affect external environments is an important constraint.
+Therefore, we need a way to control if automatic module loading is
+allowed or which applications are allowed to trigger the module
+auto-load feature.
+
+The ModAutoRestrict LSM allows system administrators or sandbox
+mechanisms to control the module auto-load feature and prevent loading
+unneeded modules or abuse the interface.
+
+The settings can be applied globally using a sysctl interface which
+completes the core kernel interface "modules_disable".
+
+The feature is also available as a prctl() interface. This allows to
+apply restrictions when sandboxing processes. On embedded Linux systems,
+or containers where only some containers/processes should have the
+right privileges to load modules, this allows to restrict those
+processes from inserting modules. Only privileged processes can be
+allowed to perform so. A more restrictive access can be applied where
+the module autoload feature is completely disabled.
+In this schema the access rules are per-process and inherited by
+children created by fork(2) and clone(2), and preserved across execve(2).
+
+Interface:
+
+*) The per-process prctl() settings are:
+
+ prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0)
+
+ Where value means:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - The current process must have CAP_SYS_MODULE to be able to
+ auto-load modules. CAP_NET_ADMIN should allow to auto-load
+ modules with a 'netdev-%s' alias.
+
+ 2 - Current process can not auto-load modules. Once set, this prctl
+ value can not be changed.
+
+ The per-process value may only be increased, never decreased, thus ensuring
+ that once applied, processes can never relaxe their setting.
+
+*) The global sysctl setting can be set by writting an integer value to
+ '/proc/sys/kernel/modautorestrict/autoload'
+
+ The valid values are:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules.
+ CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s'
+ alias.
+
+ 2 - Processes can not auto-load modules. Once set, this sysctl value
+ can not be changed.
+
+*) Access rules:
+ First the prctl() settings are checked, if the access is not denied
+ then the global sysctl settings are checked.
+
+
+The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'.
+
+==========================================================================
--
2.10.2
WARNING: multiple messages have this Message-ID (diff)
From: tixxdz@gmail.com (Djalal Harouni)
To: linux-security-module@vger.kernel.org
Subject: [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation
Date: Sun, 9 Apr 2017 12:42:10 +0200 [thread overview]
Message-ID: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> (raw)
In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz@gmail.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
Documentation/security/00-INDEX | 2 +
Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+)
create mode 100644 Documentation/security/ModAutoRestrict.txt
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 45c82fd..35dbdf0 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -24,3 +24,5 @@ tomoyo.txt
- documentation on the TOMOYO Linux Security Module.
IMA-templates.txt
- documentation on the template management mechanism for IMA.
+ModAutoRestrict.txt
+ - documentation on the ModAutoRestrict Linux Security Module.
diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt
new file mode 100644
index 0000000..47acae8
--- /dev/null
+++ b/Documentation/security/ModAutoRestrict.txt
@@ -0,0 +1,77 @@
+ModAutoRestrict is a Linux Security Module that applies restrictions on
+automatic module loading operations. This is selectable at build-time
+with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time
+through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a
+per-process setting via a prctl() interface.
+
+===========================================
+
+A userspace request to use a kernel feature that is implemented by modules
+that are not loaded may trigger the module auto-load feature to load
+these modules in order to satisfy userspace. However as today's Linux use
+cases cover embedded systems to containers where applications are running
+in their own separate environments, reducing or preventing operations
+that may affect external environments is an important constraint.
+Therefore, we need a way to control if automatic module loading is
+allowed or which applications are allowed to trigger the module
+auto-load feature.
+
+The ModAutoRestrict LSM allows system administrators or sandbox
+mechanisms to control the module auto-load feature and prevent loading
+unneeded modules or abuse the interface.
+
+The settings can be applied globally using a sysctl interface which
+completes the core kernel interface "modules_disable".
+
+The feature is also available as a prctl() interface. This allows to
+apply restrictions when sandboxing processes. On embedded Linux systems,
+or containers where only some containers/processes should have the
+right privileges to load modules, this allows to restrict those
+processes from inserting modules. Only privileged processes can be
+allowed to perform so. A more restrictive access can be applied where
+the module autoload feature is completely disabled.
+In this schema the access rules are per-process and inherited by
+children created by fork(2) and clone(2), and preserved across execve(2).
+
+Interface:
+
+*) The per-process prctl() settings are:
+
+ prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0)
+
+ Where value means:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - The current process must have CAP_SYS_MODULE to be able to
+ auto-load modules. CAP_NET_ADMIN should allow to auto-load
+ modules with a 'netdev-%s' alias.
+
+ 2 - Current process can not auto-load modules. Once set, this prctl
+ value can not be changed.
+
+ The per-process value may only be increased, never decreased, thus ensuring
+ that once applied, processes can never relaxe their setting.
+
+*) The global sysctl setting can be set by writting an integer value to
+ '/proc/sys/kernel/modautorestrict/autoload'
+
+ The valid values are:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules.
+ CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s'
+ alias.
+
+ 2 - Processes can not auto-load modules. Once set, this sysctl value
+ can not be changed.
+
+*) Access rules:
+ First the prctl() settings are checked, if the access is not denied
+ then the global sysctl settings are checked.
+
+
+The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'.
+
+==========================================================================
--
2.10.2
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@gmail.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
kernel-hardening@lists.openwall.com,
linux-security-module@vger.kernel.org
Cc: Linux API <linux-api@vger.kernel.org>,
Dongsu Park <dpark@posteo.net>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <james.l.morris@oracle.com>,
serge@hallyn.com, Paul Moore <paul@paul-moore.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Djalal Harouni <tixxdz@gmail.com>
Subject: [kernel-hardening] [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation
Date: Sun, 9 Apr 2017 12:42:10 +0200 [thread overview]
Message-ID: <1491734530-25002-4-git-send-email-tixxdz@gmail.com> (raw)
In-Reply-To: <1491734530-25002-1-git-send-email-tixxdz@gmail.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
Documentation/security/00-INDEX | 2 +
Documentation/security/ModAutoRestrict.txt | 77 ++++++++++++++++++++++++++++++
2 files changed, 79 insertions(+)
create mode 100644 Documentation/security/ModAutoRestrict.txt
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 45c82fd..35dbdf0 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -24,3 +24,5 @@ tomoyo.txt
- documentation on the TOMOYO Linux Security Module.
IMA-templates.txt
- documentation on the template management mechanism for IMA.
+ModAutoRestrict.txt
+ - documentation on the ModAutoRestrict Linux Security Module.
diff --git a/Documentation/security/ModAutoRestrict.txt b/Documentation/security/ModAutoRestrict.txt
new file mode 100644
index 0000000..47acae8
--- /dev/null
+++ b/Documentation/security/ModAutoRestrict.txt
@@ -0,0 +1,77 @@
+ModAutoRestrict is a Linux Security Module that applies restrictions on
+automatic module loading operations. This is selectable at build-time
+with CONFIG_SECURITY_MODAUTORESTRICT, and can be controlled at run-time
+through sysctls in /proc/sys/kernel/modautorestrict/autoload or as a
+per-process setting via a prctl() interface.
+
+===========================================
+
+A userspace request to use a kernel feature that is implemented by modules
+that are not loaded may trigger the module auto-load feature to load
+these modules in order to satisfy userspace. However as today's Linux use
+cases cover embedded systems to containers where applications are running
+in their own separate environments, reducing or preventing operations
+that may affect external environments is an important constraint.
+Therefore, we need a way to control if automatic module loading is
+allowed or which applications are allowed to trigger the module
+auto-load feature.
+
+The ModAutoRestrict LSM allows system administrators or sandbox
+mechanisms to control the module auto-load feature and prevent loading
+unneeded modules or abuse the interface.
+
+The settings can be applied globally using a sysctl interface which
+completes the core kernel interface "modules_disable".
+
+The feature is also available as a prctl() interface. This allows to
+apply restrictions when sandboxing processes. On embedded Linux systems,
+or containers where only some containers/processes should have the
+right privileges to load modules, this allows to restrict those
+processes from inserting modules. Only privileged processes can be
+allowed to perform so. A more restrictive access can be applied where
+the module autoload feature is completely disabled.
+In this schema the access rules are per-process and inherited by
+children created by fork(2) and clone(2), and preserved across execve(2).
+
+Interface:
+
+*) The per-process prctl() settings are:
+
+ prctl(PR_MOD_AUTO_RESTRICT_OPTS, PR_SET_MOD_AUTO_RESTRICT, value, 0, 0)
+
+ Where value means:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - The current process must have CAP_SYS_MODULE to be able to
+ auto-load modules. CAP_NET_ADMIN should allow to auto-load
+ modules with a 'netdev-%s' alias.
+
+ 2 - Current process can not auto-load modules. Once set, this prctl
+ value can not be changed.
+
+ The per-process value may only be increased, never decreased, thus ensuring
+ that once applied, processes can never relaxe their setting.
+
+*) The global sysctl setting can be set by writting an integer value to
+ '/proc/sys/kernel/modautorestrict/autoload'
+
+ The valid values are:
+
+ 0 - Classic module auto-load permissions, nothing changes.
+
+ 1 - Processes must have CAP_SYS_MODULE to be able to auto-load modules.
+ CAP_NET_ADMIN should allow to auto-load modules with a 'netdev-%s'
+ alias.
+
+ 2 - Processes can not auto-load modules. Once set, this sysctl value
+ can not be changed.
+
+*) Access rules:
+ First the prctl() settings are checked, if the access is not denied
+ then the global sysctl settings are checked.
+
+
+The original idea and inspiration is from grsecurity 'GRKERNSEC_MODHARDEN'.
+
+==========================================================================
--
2.10.2
next prev parent reply other threads:[~2017-04-09 10:43 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-09 10:42 [PATCH RFC v2 0/3] security: Add ModAutoRestrict LSM Djalal Harouni
2017-04-09 10:42 ` [kernel-hardening] " Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-09 10:42 ` [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob Djalal Harouni
2017-04-09 10:42 ` [kernel-hardening] " Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-10 15:50 ` Casey Schaufler
2017-04-10 15:50 ` [kernel-hardening] " Casey Schaufler
2017-04-10 15:50 ` Casey Schaufler
2017-04-10 15:50 ` Casey Schaufler
2017-04-10 18:30 ` Djalal Harouni
2017-04-10 18:30 ` [kernel-hardening] " Djalal Harouni
2017-04-10 18:30 ` Djalal Harouni
2017-04-10 19:26 ` Casey Schaufler
2017-04-10 19:26 ` [kernel-hardening] " Casey Schaufler
2017-04-10 19:26 ` Casey Schaufler
2017-04-10 19:26 ` Casey Schaufler
2017-04-10 20:00 ` Djalal Harouni
2017-04-10 20:00 ` [kernel-hardening] " Djalal Harouni
2017-04-10 20:00 ` Djalal Harouni
2017-04-10 20:00 ` Djalal Harouni
2017-04-11 4:43 ` [kernel-hardening] " Kees Cook
2017-04-11 4:43 ` Kees Cook
2017-04-11 4:43 ` Kees Cook
2017-04-11 4:43 ` Kees Cook
2017-04-11 19:54 ` Casey Schaufler
2017-04-11 19:54 ` Casey Schaufler
2017-04-11 19:54 ` Casey Schaufler
2017-04-11 19:54 ` Casey Schaufler
2017-04-11 19:57 ` Kees Cook
2017-04-11 19:57 ` Kees Cook
2017-04-11 19:57 ` Kees Cook
2017-04-12 16:08 ` Djalal Harouni
2017-04-12 16:08 ` Djalal Harouni
2017-04-12 16:08 ` Djalal Harouni
2017-04-12 16:08 ` Djalal Harouni
2017-04-12 16:22 ` Djalal Harouni
2017-04-12 16:22 ` Djalal Harouni
2017-04-12 16:22 ` Djalal Harouni
2017-04-12 16:22 ` Djalal Harouni
2017-04-12 20:41 ` Casey Schaufler
2017-04-12 20:41 ` Casey Schaufler
2017-04-12 20:41 ` Casey Schaufler
2017-04-12 20:41 ` Casey Schaufler
2017-04-09 10:42 ` [PATCH RFC v2 2/3] security: add the ModAutoRestrict Linux Security Module Djalal Harouni
2017-04-09 10:42 ` [kernel-hardening] " Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-10 15:42 ` Casey Schaufler
2017-04-10 15:42 ` [kernel-hardening] " Casey Schaufler
2017-04-10 15:42 ` Casey Schaufler
2017-04-10 18:27 ` Djalal Harouni
2017-04-10 18:27 ` [kernel-hardening] " Djalal Harouni
2017-04-10 18:27 ` Djalal Harouni
2017-04-10 18:27 ` Djalal Harouni
2017-04-10 19:04 ` Casey Schaufler
2017-04-10 19:04 ` [kernel-hardening] " Casey Schaufler
2017-04-10 19:04 ` Casey Schaufler
2017-04-10 19:55 ` Djalal Harouni
2017-04-10 19:55 ` [kernel-hardening] " Djalal Harouni
2017-04-10 19:55 ` Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni [this message]
2017-04-09 10:42 ` [kernel-hardening] [PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-09 10:42 ` Djalal Harouni
2017-04-11 4:23 ` [PATCH RFC v2 0/3] security: Add ModAutoRestrict LSM Kees Cook
2017-04-11 4:23 ` [kernel-hardening] " Kees Cook
2017-04-11 4:23 ` Kees Cook
2017-04-11 4:23 ` Kees Cook
2017-04-12 15:26 ` Djalal Harouni
2017-04-12 15:26 ` [kernel-hardening] " Djalal Harouni
2017-04-12 15:26 ` Djalal Harouni
2017-04-12 15:26 ` Djalal Harouni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1491734530-25002-4-git-send-email-tixxdz@gmail.com \
--to=tixxdz@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dpark@posteo.net \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.