From: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-security-module@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@suse.com>,
kexec@lists.infradead.org, linux-modules@vger.kernel.org,
fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Biederman <ebiederm@xmission.com>,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v3 14/22] security: define kernel_read_file hook
Date: Thu, 11 Feb 2016 08:54:01 -0800 [thread overview]
Message-ID: <56BCBCA9.3040102@schaufler-ca.com> (raw)
In-Reply-To: <1454526390-19792-15-git-send-email-zohar@linux.vnet.ibm.com>
On 2/3/2016 11:06 AM, Mimi Zohar wrote:
> The kernel_read_file security hook is called prior to reading the file
> into memory.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Being able to deny the read prior to performing any
real work makes a lot of sense.
> ---
> fs/exec.c | 4 ++++
> include/linux/ima.h | 6 ++++++
> include/linux/lsm_hooks.h | 8 ++++++++
> include/linux/security.h | 7 +++++++
> security/integrity/ima/ima_main.c | 16 ++++++++++++++++
> security/security.c | 12 ++++++++++++
> 6 files changed, 53 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 5629958..1d39c4e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -842,6 +842,10 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
> if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
> return -EINVAL;
>
> + ret = security_kernel_read_file(file, id);
> + if (ret)
> + return ret;
> +
> i_size = i_size_read(file_inode(file));
> if (max_size > 0 && i_size > max_size)
> return -EFBIG;
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 7aea486..6adcaea 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask, int opened);
> extern void ima_file_free(struct file *file);
> extern int ima_file_mmap(struct file *file, unsigned long prot);
> extern int ima_module_check(struct file *file);
> +extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
> extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
> enum kernel_read_file_id id);
>
> @@ -48,6 +49,11 @@ static inline int ima_module_check(struct file *file)
> return 0;
> }
>
> +static inline int ima_read_file(struct file *file, enum kernel_read_file_id id)
> +{
> + return 0;
> +}
> +
> static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
> enum kernel_read_file_id id)
> {
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7d04a12..d32b7bd 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -552,6 +552,12 @@
> * the kernel module to load. If the module is being loaded from a blob,
> * this argument will be NULL.
> * Return 0 if permission is granted.
> + * @kernel_read_file:
> + * Read a file specified by userspace.
> + * @file contains the file structure pointing to the file being read
> + * by the kernel.
> + * @id kernel read file identifier
> + * Return 0 if permission is granted.
> * @kernel_post_read_file:
> * Read a file specified by userspace.
> * @file contains the file structure pointing to the file being read
> @@ -1455,6 +1461,7 @@ union security_list_options {
> int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
> int (*kernel_module_request)(char *kmod_name);
> int (*kernel_module_from_file)(struct file *file);
> + int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id);
> int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id);
> int (*task_fix_setuid)(struct cred *new, const struct cred *old,
> @@ -1715,6 +1722,7 @@ struct security_hook_heads {
> struct list_head cred_transfer;
> struct list_head kernel_act_as;
> struct list_head kernel_create_files_as;
> + struct list_head kernel_read_file;
> struct list_head kernel_post_read_file;
> struct list_head kernel_module_request;
> struct list_head kernel_module_from_file;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index cee1349..071fb74 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -302,6 +302,7 @@ int security_kernel_act_as(struct cred *new, u32 secid);
> int security_kernel_create_files_as(struct cred *new, struct inode *inode);
> int security_kernel_module_request(char *kmod_name);
> int security_kernel_module_from_file(struct file *file);
> +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id);
> int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id);
> int security_task_fix_setuid(struct cred *new, const struct cred *old,
> @@ -863,6 +864,12 @@ static inline int security_kernel_module_from_file(struct file *file)
> return 0;
> }
>
> +static inline int security_kernel_read_file(struct file *file,
> + enum kernel_read_file_id id)
> +{
> + return 0;
> +}
> +
> static inline int security_kernel_post_read_file(struct file *file,
> char *buf, loff_t size,
> enum kernel_read_file_id id)
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 4a5db31..6f79bdf 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -338,6 +338,22 @@ int ima_module_check(struct file *file)
> }
>
> /**
> + * ima_read_file - pre-measure/appraise hook decision based on policy
> + * @file: pointer to the file to be measured/appraised/audit
> + * @read_id: caller identifier
> + *
> + * Permit reading a file based on policy. The policy rules are written
> + * in terms of the policy identifier. Appraising the integrity of
> + * a file requires a file descriptor.
> + *
> + * For permission return 0, otherwise return -EACCES.
> + */
> +int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
> +{
> + return 0;
> +}
> +
> +/**
> * ima_post_read_file - in memory collect/appraise/audit measurement
> * @file: pointer to the file to be measured/appraised/audit
> * @buf: pointer to in memory file contents
> diff --git a/security/security.c b/security/security.c
> index 81a4c3a..1728fe2 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -899,6 +899,16 @@ int security_kernel_module_from_file(struct file *file)
> return ima_module_check(file);
> }
>
> +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
> +{
> + int ret;
> +
> + ret = call_int_hook(kernel_read_file, 0, file, id);
> + if (ret)
> + return ret;
> + return ima_read_file(file, id);
> +}
> +
> int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id)
> {
> @@ -1695,6 +1705,8 @@ struct security_hook_heads security_hook_heads = {
> LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
> .kernel_module_from_file =
> LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file),
> + .kernel_read_file =
> + LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
> .kernel_post_read_file =
> LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
> .task_fix_setuid =
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-security-module@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@suse.com>,
kexec@lists.infradead.org, linux-modules@vger.kernel.org,
fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Biederman <ebiederm@xmission.com>,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v3 14/22] security: define kernel_read_file hook
Date: Thu, 11 Feb 2016 08:54:01 -0800 [thread overview]
Message-ID: <56BCBCA9.3040102@schaufler-ca.com> (raw)
In-Reply-To: <1454526390-19792-15-git-send-email-zohar@linux.vnet.ibm.com>
On 2/3/2016 11:06 AM, Mimi Zohar wrote:
> The kernel_read_file security hook is called prior to reading the file
> into memory.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Being able to deny the read prior to performing any
real work makes a lot of sense.
> ---
> fs/exec.c | 4 ++++
> include/linux/ima.h | 6 ++++++
> include/linux/lsm_hooks.h | 8 ++++++++
> include/linux/security.h | 7 +++++++
> security/integrity/ima/ima_main.c | 16 ++++++++++++++++
> security/security.c | 12 ++++++++++++
> 6 files changed, 53 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 5629958..1d39c4e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -842,6 +842,10 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
> if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
> return -EINVAL;
>
> + ret = security_kernel_read_file(file, id);
> + if (ret)
> + return ret;
> +
> i_size = i_size_read(file_inode(file));
> if (max_size > 0 && i_size > max_size)
> return -EFBIG;
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 7aea486..6adcaea 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask, int opened);
> extern void ima_file_free(struct file *file);
> extern int ima_file_mmap(struct file *file, unsigned long prot);
> extern int ima_module_check(struct file *file);
> +extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
> extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
> enum kernel_read_file_id id);
>
> @@ -48,6 +49,11 @@ static inline int ima_module_check(struct file *file)
> return 0;
> }
>
> +static inline int ima_read_file(struct file *file, enum kernel_read_file_id id)
> +{
> + return 0;
> +}
> +
> static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
> enum kernel_read_file_id id)
> {
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7d04a12..d32b7bd 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -552,6 +552,12 @@
> * the kernel module to load. If the module is being loaded from a blob,
> * this argument will be NULL.
> * Return 0 if permission is granted.
> + * @kernel_read_file:
> + * Read a file specified by userspace.
> + * @file contains the file structure pointing to the file being read
> + * by the kernel.
> + * @id kernel read file identifier
> + * Return 0 if permission is granted.
> * @kernel_post_read_file:
> * Read a file specified by userspace.
> * @file contains the file structure pointing to the file being read
> @@ -1455,6 +1461,7 @@ union security_list_options {
> int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
> int (*kernel_module_request)(char *kmod_name);
> int (*kernel_module_from_file)(struct file *file);
> + int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id);
> int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id);
> int (*task_fix_setuid)(struct cred *new, const struct cred *old,
> @@ -1715,6 +1722,7 @@ struct security_hook_heads {
> struct list_head cred_transfer;
> struct list_head kernel_act_as;
> struct list_head kernel_create_files_as;
> + struct list_head kernel_read_file;
> struct list_head kernel_post_read_file;
> struct list_head kernel_module_request;
> struct list_head kernel_module_from_file;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index cee1349..071fb74 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -302,6 +302,7 @@ int security_kernel_act_as(struct cred *new, u32 secid);
> int security_kernel_create_files_as(struct cred *new, struct inode *inode);
> int security_kernel_module_request(char *kmod_name);
> int security_kernel_module_from_file(struct file *file);
> +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id);
> int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id);
> int security_task_fix_setuid(struct cred *new, const struct cred *old,
> @@ -863,6 +864,12 @@ static inline int security_kernel_module_from_file(struct file *file)
> return 0;
> }
>
> +static inline int security_kernel_read_file(struct file *file,
> + enum kernel_read_file_id id)
> +{
> + return 0;
> +}
> +
> static inline int security_kernel_post_read_file(struct file *file,
> char *buf, loff_t size,
> enum kernel_read_file_id id)
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 4a5db31..6f79bdf 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -338,6 +338,22 @@ int ima_module_check(struct file *file)
> }
>
> /**
> + * ima_read_file - pre-measure/appraise hook decision based on policy
> + * @file: pointer to the file to be measured/appraised/audit
> + * @read_id: caller identifier
> + *
> + * Permit reading a file based on policy. The policy rules are written
> + * in terms of the policy identifier. Appraising the integrity of
> + * a file requires a file descriptor.
> + *
> + * For permission return 0, otherwise return -EACCES.
> + */
> +int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
> +{
> + return 0;
> +}
> +
> +/**
> * ima_post_read_file - in memory collect/appraise/audit measurement
> * @file: pointer to the file to be measured/appraised/audit
> * @buf: pointer to in memory file contents
> diff --git a/security/security.c b/security/security.c
> index 81a4c3a..1728fe2 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -899,6 +899,16 @@ int security_kernel_module_from_file(struct file *file)
> return ima_module_check(file);
> }
>
> +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
> +{
> + int ret;
> +
> + ret = call_int_hook(kernel_read_file, 0, file, id);
> + if (ret)
> + return ret;
> + return ima_read_file(file, id);
> +}
> +
> int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id)
> {
> @@ -1695,6 +1705,8 @@ struct security_hook_heads security_hook_heads = {
> LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
> .kernel_module_from_file =
> LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file),
> + .kernel_read_file =
> + LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
> .kernel_post_read_file =
> LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
> .task_fix_setuid =
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-02-11 17:00 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:45 ` Petko Manolov
2016-02-07 19:45 ` Petko Manolov
2016-02-10 19:33 ` Dmitry Kasatkin
2016-02-10 19:33 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:46 ` Petko Manolov
2016-02-07 19:46 ` Petko Manolov
2016-02-10 19:35 ` Dmitry Kasatkin
2016-02-10 19:35 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:26 ` Kees Cook
2016-02-04 17:26 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:27 ` Kees Cook
2016-02-04 17:27 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:36 ` Kees Cook
2016-02-04 17:36 ` Kees Cook
2016-02-04 20:26 ` Luis R. Rodriguez
2016-02-04 20:26 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:41 ` Kees Cook
2016-02-04 17:41 ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:41 ` Kees Cook
2016-02-04 17:41 ` Kees Cook
2016-02-04 19:45 ` Luis R. Rodriguez
2016-02-04 19:45 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-10 19:58 ` Dmitry Kasatkin
2016-02-10 19:58 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-10 20:27 ` Dmitry Kasatkin
2016-02-10 20:27 ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:46 ` Kees Cook
2016-02-04 17:46 ` Kees Cook
2016-02-04 19:47 ` Luis R. Rodriguez
2016-02-04 19:47 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:56 ` Kees Cook
2016-02-04 17:56 ` Kees Cook
2016-02-04 19:51 ` Luis R. Rodriguez
2016-02-04 19:51 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:57 ` Kees Cook
2016-02-04 17:57 ` Kees Cook
2016-02-04 19:54 ` Luis R. Rodriguez
2016-02-04 19:54 ` Luis R. Rodriguez
2016-02-11 16:54 ` Casey Schaufler [this message]
2016-02-11 16:54 ` Casey Schaufler
2016-02-11 19:35 ` Mimi Zohar
2016-02-11 19:35 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 17:58 ` Kees Cook
2016-02-04 17:58 ` Kees Cook
2016-02-04 19:55 ` Luis R. Rodriguez
2016-02-04 19:55 ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 18:04 ` Kees Cook
2016-02-04 18:04 ` Kees Cook
2016-02-04 19:56 ` Luis R. Rodriguez
2016-02-04 19:56 ` Luis R. Rodriguez
2016-02-05 0:19 ` Mimi Zohar
2016-02-05 0:19 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:56 ` Petko Manolov
2016-02-07 19:56 ` Petko Manolov
2016-02-10 20:18 ` Dmitry Kasatkin
2016-02-10 20:18 ` Dmitry Kasatkin
2016-02-10 23:14 ` Mimi Zohar
2016-02-10 23:14 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-04 18:05 ` Kees Cook
2016-02-04 18:05 ` Kees Cook
2016-02-04 19:57 ` Luis R. Rodriguez
2016-02-04 19:57 ` Luis R. Rodriguez
2016-02-12 12:50 ` Dave Young
2016-02-12 12:50 ` Dave Young
2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:10 ` Petko Manolov
2016-02-07 20:10 ` Petko Manolov
2016-02-08 23:34 ` Mimi Zohar
2016-02-08 23:34 ` Mimi Zohar
2016-02-10 21:09 ` Dmitry Kasatkin
2016-02-10 21:09 ` Dmitry Kasatkin
2016-02-10 23:21 ` Mimi Zohar
2016-02-10 23:21 ` Mimi Zohar
[not found] ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com>
2016-02-11 2:08 ` Mimi Zohar
2016-02-11 2:08 ` Mimi Zohar
2016-02-11 8:47 ` Dmitry Kasatkin
2016-02-11 8:47 ` Dmitry Kasatkin
2016-02-11 12:16 ` Mimi Zohar
2016-02-11 12:16 ` Mimi Zohar
2016-02-12 12:53 ` Dave Young
2016-02-12 12:53 ` Dave Young
2016-02-12 13:09 ` Mimi Zohar
2016-02-12 13:09 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 19:59 ` Petko Manolov
2016-02-07 19:59 ` Petko Manolov
2016-02-08 9:58 ` Dmitry Kasatkin
2016-02-08 9:58 ` Dmitry Kasatkin
2016-02-08 10:35 ` Petko Manolov
2016-02-08 10:35 ` Petko Manolov
2016-02-08 10:45 ` Dmitry Kasatkin
2016-02-08 10:45 ` Dmitry Kasatkin
2016-02-08 21:12 ` Mimi Zohar
2016-02-08 21:12 ` Mimi Zohar
2016-02-09 7:47 ` Petko Manolov
2016-02-09 7:47 ` Petko Manolov
2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:01 ` Petko Manolov
2016-02-07 20:01 ` Petko Manolov
2016-02-10 20:22 ` Dmitry Kasatkin
2016-02-10 20:22 ` Dmitry Kasatkin
2016-02-10 23:15 ` Mimi Zohar
2016-02-10 23:15 ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar
2016-02-03 19:06 ` Mimi Zohar
2016-02-07 20:02 ` Petko Manolov
2016-02-07 20:02 ` Petko Manolov
2016-02-10 20:24 ` Dmitry Kasatkin
2016-02-10 20:24 ` Dmitry Kasatkin
2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook
2016-02-04 18:15 ` Kees Cook
2016-02-04 23:54 ` Mimi Zohar
2016-02-04 23:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56BCBCA9.3040102@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.