diff for duplicates of <1525400977.3539.199.camel@linux.vnet.ibm.com>
diff --git a/a/1.txt b/N1/1.txt
index 47491bb..f962c0c 100644
--- a/a/1.txt
+++ b/N1/1.txt
@@ -23,11 +23,11 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> >> >> instrument of policy.
> >> >
> >> > True, for those building their own kernel, they can disable the old
-> >> > syscalls. The concern is not for those building their own kernels,
-> >> > but for those using stock kernels.
+> >> > syscalls. ?The concern is not for those building their own kernels,
+> >> > but for those using stock kernels. ?
> >> >
> >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an
-> >> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
+> >> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently,
> >> > both load_pin and SELinux are gating the kernel module syscalls based
> >> > on security_kernel_read_file.
> >> >
@@ -44,7 +44,7 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> > Suppose a system owner wants to define a system wide policy that
> > requires all code be signed - kernel modules, firmware, kexec image &
> > initramfs, executables, mmapped files, etc - without having to rebuild
-> > the kernel. Without a call in kexec_load that isn't possible.
+> > the kernel. ?Without a call in kexec_load that isn't possible.
>
> Of course it is. You just make it a requirement that before an
> executable will be signed it will be audited to see that it doesn't
@@ -53,7 +53,7 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> that most applications will never call.
Initially I'm hoping that files will simply come signed, providing
-file provenance. Anything else is gravy.
+file provenance. ?Anything else is gravy.
> >> >> If you don't trust userspace that needs to be spelled out very clearly.
> >> >> You need to talk about what your threat models are.
@@ -76,7 +76,12 @@ file provenance. Anything else is gravy.
Existing kernels might not support the newer kexec_file_load syscall,
so packages are currently being built to try one syscall and fallback
-to using the other one. In this case, it has nothing to do with
+to using the other one. ?In this case, it has nothing to do with
quality control.
-Mimi
\ No newline at end of file
+Mimi
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
\ No newline at end of file
diff --git a/a/content_digest b/N1/content_digest
index 49beafb..259c30e 100644
--- a/a/content_digest
+++ b/N1/content_digest
@@ -17,26 +17,16 @@
"ref\00087fu38jq98.fsf\@xmission.com\0"
]
[
- "From\0Mimi Zohar <zohar\@linux.vnet.ibm.com>\0"
+ "From\0zohar\@linux.vnet.ibm.com (Mimi Zohar)\0"
]
[
- "Subject\0Re: [PATCH 0/3] kexec: limit kexec_load syscall\0"
+ "Subject\0[PATCH 0/3] kexec: limit kexec_load syscall\0"
]
[
"Date\0Thu, 03 May 2018 22:29:37 -0400\0"
]
[
- "To\0Eric W. Biederman <ebiederm\@xmission.com>\0"
-]
-[
- "Cc\0Kees Cook <keescook\@chromium.org>",
- " David Howells <dhowells\@redhat.com>",
- " Matthew Garrett <mjg59\@google.com>",
- " linux-integrity\@vger.kernel.org",
- " linux-security-module\@vger.kernel.org",
- " kexec\@lists.infradead.org",
- " linux-kernel\@vger.kernel.org",
- " kernel-hardening\@lists.openwall.com\0"
+ "To\0linux-security-module\@vger.kernel.org\0"
]
[
"\0000:1\0"
@@ -70,11 +60,11 @@
"> >> >> instrument of policy.\n",
"> >> >\n",
"> >> > True, for those building their own kernel, they can disable the old\n",
- "> >> > syscalls. \302\240The concern is not for those building their own kernels,\n",
- "> >> > but for those using stock kernels. \302\240\n",
+ "> >> > syscalls. ?The concern is not for those building their own kernels,\n",
+ "> >> > but for those using stock kernels. ?\n",
"> >> >\n",
"> >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n",
- "> >> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n",
+ "> >> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently,\n",
"> >> > both load_pin and SELinux are gating the kernel module syscalls based\n",
"> >> > on security_kernel_read_file.\n",
"> >> >\n",
@@ -91,7 +81,7 @@
"> > Suppose a system owner wants to define a system wide policy that\n",
"> > requires all code be signed - kernel modules, firmware, kexec image &\n",
"> > initramfs, executables, mmapped files, etc - without having to rebuild\n",
- "> > the kernel. \302\240Without a call in kexec_load that isn't possible.\n",
+ "> > the kernel. ?Without a call in kexec_load that isn't possible.\n",
"> \n",
"> Of course it is. You just make it a requirement that before an\n",
"> executable will be signed it will be audited to see that it doesn't\n",
@@ -100,7 +90,7 @@
"> that most applications will never call.\n",
"\n",
"Initially I'm hoping that files will simply come signed, providing\n",
- "file provenance. \302\240Anything else is gravy.\n",
+ "file provenance. ?Anything else is gravy.\n",
"\n",
"> >> >> If you don't trust userspace that needs to be spelled out very clearly.\n",
"> >> >> You need to talk about what your threat models are.\n",
@@ -123,10 +113,15 @@
"\n",
"Existing kernels might not support the newer kexec_file_load syscall,\n",
"so packages are currently being built to try one syscall and fallback\n",
- "to using the other one. \302\240In this case, it has nothing to do with\n",
+ "to using the other one. ?In this case, it has nothing to do with\n",
"quality control.\n",
"\n",
- "Mimi"
+ "Mimi\n",
+ "\n",
+ "--\n",
+ "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n",
+ "the body of a message to majordomo at vger.kernel.org\n",
+ "More majordomo info at http://vger.kernel.org/majordomo-info.html"
]
-03a88b990e0c68bc1e0098b3fd9f797a65ff42210d69236576bd6c1f464123de
+0658d90c62c8d7961e3f65656b05446339b18244a6551b1166de9deb1de88c4e
diff --git a/a/1.txt b/N2/1.txt
index 47491bb..2dda581 100644
--- a/a/1.txt
+++ b/N2/1.txt
@@ -23,11 +23,11 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> >> >> instrument of policy.
> >> >
> >> > True, for those building their own kernel, they can disable the old
-> >> > syscalls. The concern is not for those building their own kernels,
-> >> > but for those using stock kernels.
+> >> > syscalls. The concern is not for those building their own kernels,
+> >> > but for those using stock kernels.
> >> >
> >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an
-> >> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
+> >> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
> >> > both load_pin and SELinux are gating the kernel module syscalls based
> >> > on security_kernel_read_file.
> >> >
@@ -44,7 +44,7 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> > Suppose a system owner wants to define a system wide policy that
> > requires all code be signed - kernel modules, firmware, kexec image &
> > initramfs, executables, mmapped files, etc - without having to rebuild
-> > the kernel. Without a call in kexec_load that isn't possible.
+> > the kernel. Without a call in kexec_load that isn't possible.
>
> Of course it is. You just make it a requirement that before an
> executable will be signed it will be audited to see that it doesn't
@@ -53,7 +53,7 @@ On Thu, 2018-05-03 at 18:03 -0500, Eric W. Biederman wrote:
> that most applications will never call.
Initially I'm hoping that files will simply come signed, providing
-file provenance. Anything else is gravy.
+file provenance. Anything else is gravy.
> >> >> If you don't trust userspace that needs to be spelled out very clearly.
> >> >> You need to talk about what your threat models are.
@@ -76,7 +76,7 @@ file provenance. Anything else is gravy.
Existing kernels might not support the newer kexec_file_load syscall,
so packages are currently being built to try one syscall and fallback
-to using the other one. In this case, it has nothing to do with
+to using the other one. In this case, it has nothing to do with
quality control.
Mimi
\ No newline at end of file
diff --git a/a/content_digest b/N2/content_digest
index 49beafb..f9274f7 100644
--- a/a/content_digest
+++ b/N2/content_digest
@@ -70,11 +70,11 @@
"> >> >> instrument of policy.\n",
"> >> >\n",
"> >> > True, for those building their own kernel, they can disable the old\n",
- "> >> > syscalls. \302\240The concern is not for those building their own kernels,\n",
- "> >> > but for those using stock kernels. \302\240\n",
+ "> >> > syscalls. The concern is not for those building their own kernels,\n",
+ "> >> > but for those using stock kernels. \n",
"> >> >\n",
"> >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n",
- "> >> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n",
+ "> >> > IMA specific hook, other LSMs can piggy back on top of it. Currently,\n",
"> >> > both load_pin and SELinux are gating the kernel module syscalls based\n",
"> >> > on security_kernel_read_file.\n",
"> >> >\n",
@@ -91,7 +91,7 @@
"> > Suppose a system owner wants to define a system wide policy that\n",
"> > requires all code be signed - kernel modules, firmware, kexec image &\n",
"> > initramfs, executables, mmapped files, etc - without having to rebuild\n",
- "> > the kernel. \302\240Without a call in kexec_load that isn't possible.\n",
+ "> > the kernel. Without a call in kexec_load that isn't possible.\n",
"> \n",
"> Of course it is. You just make it a requirement that before an\n",
"> executable will be signed it will be audited to see that it doesn't\n",
@@ -100,7 +100,7 @@
"> that most applications will never call.\n",
"\n",
"Initially I'm hoping that files will simply come signed, providing\n",
- "file provenance. \302\240Anything else is gravy.\n",
+ "file provenance. Anything else is gravy.\n",
"\n",
"> >> >> If you don't trust userspace that needs to be spelled out very clearly.\n",
"> >> >> You need to talk about what your threat models are.\n",
@@ -123,10 +123,10 @@
"\n",
"Existing kernels might not support the newer kexec_file_load syscall,\n",
"so packages are currently being built to try one syscall and fallback\n",
- "to using the other one. \302\240In this case, it has nothing to do with\n",
+ "to using the other one. In this case, it has nothing to do with\n",
"quality control.\n",
"\n",
"Mimi"
]
-03a88b990e0c68bc1e0098b3fd9f797a65ff42210d69236576bd6c1f464123de
+24b0f0a51d6388a12f73c85e2673b9b621e788c2e50e8b1075bfe6913662a36c
diff --git a/a/1.txt b/N3/1.txt
index 47491bb..942cb7a 100644
--- a/a/1.txt
+++ b/N3/1.txt
@@ -79,4 +79,10 @@ so packages are currently being built to try one syscall and fallback
to using the other one. In this case, it has nothing to do with
quality control.
-Mimi
\ No newline at end of file
+Mimi
+
+
+_______________________________________________
+kexec mailing list
+kexec@lists.infradead.org
+http://lists.infradead.org/mailman/listinfo/kexec
\ No newline at end of file
diff --git a/a/content_digest b/N3/content_digest
index 49beafb..8e6cc0e 100644
--- a/a/content_digest
+++ b/N3/content_digest
@@ -30,13 +30,13 @@
]
[
"Cc\0Kees Cook <keescook\@chromium.org>",
- " David Howells <dhowells\@redhat.com>",
- " Matthew Garrett <mjg59\@google.com>",
- " linux-integrity\@vger.kernel.org",
- " linux-security-module\@vger.kernel.org",
+ " kernel-hardening\@lists.openwall.com",
" kexec\@lists.infradead.org",
" linux-kernel\@vger.kernel.org",
- " kernel-hardening\@lists.openwall.com\0"
+ " Matthew Garrett <mjg59\@google.com>",
+ " David Howells <dhowells\@redhat.com>",
+ " linux-security-module\@vger.kernel.org",
+ " linux-integrity\@vger.kernel.org\0"
]
[
"\0000:1\0"
@@ -126,7 +126,13 @@
"to using the other one. \302\240In this case, it has nothing to do with\n",
"quality control.\n",
"\n",
- "Mimi"
+ "Mimi\n",
+ "\n",
+ "\n",
+ "_______________________________________________\n",
+ "kexec mailing list\n",
+ "kexec\@lists.infradead.org\n",
+ "http://lists.infradead.org/mailman/listinfo/kexec"
]
-03a88b990e0c68bc1e0098b3fd9f797a65ff42210d69236576bd6c1f464123de
+9fffd215662a437f9a0fa0bba26a0dc1e8caee27134f2e59e26acde2cb9d4852
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.