From: Casey Schaufler <casey@schaufler-ca.com> To: Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-security-module@vger.kernel.org, "Luis R. Rodriguez" <mcgrof@suse.com>, kexec@lists.infradead.org, linux-modules@vger.kernel.org, fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Kees Cook <keescook@chromium.org>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eric Biederman <ebiederm@xmission.com>, Rusty Russell <rusty@rustcorp.com.au> Subject: Re: [PATCH v3 14/22] security: define kernel_read_file hook Date: Thu, 11 Feb 2016 08:54:01 -0800 [thread overview] Message-ID: <56BCBCA9.3040102@schaufler-ca.com> (raw) In-Reply-To: <1454526390-19792-15-git-send-email-zohar@linux.vnet.ibm.com> On 2/3/2016 11:06 AM, Mimi Zohar wrote: > The kernel_read_file security hook is called prior to reading the file > into memory. > > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Being able to deny the read prior to performing any real work makes a lot of sense. > --- > fs/exec.c | 4 ++++ > include/linux/ima.h | 6 ++++++ > include/linux/lsm_hooks.h | 8 ++++++++ > include/linux/security.h | 7 +++++++ > security/integrity/ima/ima_main.c | 16 ++++++++++++++++ > security/security.c | 12 ++++++++++++ > 6 files changed, 53 insertions(+) > > diff --git a/fs/exec.c b/fs/exec.c > index 5629958..1d39c4e 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -842,6 +842,10 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, > if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0) > return -EINVAL; > > + ret = security_kernel_read_file(file, id); > + if (ret) > + return ret; > + > i_size = i_size_read(file_inode(file)); > if (max_size > 0 && i_size > max_size) > return -EFBIG; > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 7aea486..6adcaea 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask, int opened); > extern void ima_file_free(struct file *file); > extern int ima_file_mmap(struct file *file, unsigned long prot); > extern int ima_module_check(struct file *file); > +extern int ima_read_file(struct file *file, enum kernel_read_file_id id); > extern int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum kernel_read_file_id id); > > @@ -48,6 +49,11 @@ static inline int ima_module_check(struct file *file) > return 0; > } > > +static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) > +{ > + return 0; > +} > + > static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum kernel_read_file_id id) > { > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7d04a12..d32b7bd 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -552,6 +552,12 @@ > * the kernel module to load. If the module is being loaded from a blob, > * this argument will be NULL. > * Return 0 if permission is granted. > + * @kernel_read_file: > + * Read a file specified by userspace. > + * @file contains the file structure pointing to the file being read > + * by the kernel. > + * @id kernel read file identifier > + * Return 0 if permission is granted. > * @kernel_post_read_file: > * Read a file specified by userspace. > * @file contains the file structure pointing to the file being read > @@ -1455,6 +1461,7 @@ union security_list_options { > int (*kernel_create_files_as)(struct cred *new, struct inode *inode); > int (*kernel_module_request)(char *kmod_name); > int (*kernel_module_from_file)(struct file *file); > + int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id); > int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id); > int (*task_fix_setuid)(struct cred *new, const struct cred *old, > @@ -1715,6 +1722,7 @@ struct security_hook_heads { > struct list_head cred_transfer; > struct list_head kernel_act_as; > struct list_head kernel_create_files_as; > + struct list_head kernel_read_file; > struct list_head kernel_post_read_file; > struct list_head kernel_module_request; > struct list_head kernel_module_from_file; > diff --git a/include/linux/security.h b/include/linux/security.h > index cee1349..071fb74 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -302,6 +302,7 @@ int security_kernel_act_as(struct cred *new, u32 secid); > int security_kernel_create_files_as(struct cred *new, struct inode *inode); > int security_kernel_module_request(char *kmod_name); > int security_kernel_module_from_file(struct file *file); > +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); > int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id); > int security_task_fix_setuid(struct cred *new, const struct cred *old, > @@ -863,6 +864,12 @@ static inline int security_kernel_module_from_file(struct file *file) > return 0; > } > > +static inline int security_kernel_read_file(struct file *file, > + enum kernel_read_file_id id) > +{ > + return 0; > +} > + > static inline int security_kernel_post_read_file(struct file *file, > char *buf, loff_t size, > enum kernel_read_file_id id) > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 4a5db31..6f79bdf 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -338,6 +338,22 @@ int ima_module_check(struct file *file) > } > > /** > + * ima_read_file - pre-measure/appraise hook decision based on policy > + * @file: pointer to the file to be measured/appraised/audit > + * @read_id: caller identifier > + * > + * Permit reading a file based on policy. The policy rules are written > + * in terms of the policy identifier. Appraising the integrity of > + * a file requires a file descriptor. > + * > + * For permission return 0, otherwise return -EACCES. > + */ > +int ima_read_file(struct file *file, enum kernel_read_file_id read_id) > +{ > + return 0; > +} > + > +/** > * ima_post_read_file - in memory collect/appraise/audit measurement > * @file: pointer to the file to be measured/appraised/audit > * @buf: pointer to in memory file contents > diff --git a/security/security.c b/security/security.c > index 81a4c3a..1728fe2 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -899,6 +899,16 @@ int security_kernel_module_from_file(struct file *file) > return ima_module_check(file); > } > > +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) > +{ > + int ret; > + > + ret = call_int_hook(kernel_read_file, 0, file, id); > + if (ret) > + return ret; > + return ima_read_file(file, id); > +} > + > int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id) > { > @@ -1695,6 +1705,8 @@ struct security_hook_heads security_hook_heads = { > LIST_HEAD_INIT(security_hook_heads.kernel_module_request), > .kernel_module_from_file = > LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file), > + .kernel_read_file = > + LIST_HEAD_INIT(security_hook_heads.kernel_read_file), > .kernel_post_read_file = > LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file), > .task_fix_setuid =
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com> To: Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-security-module@vger.kernel.org, "Luis R. Rodriguez" <mcgrof@suse.com>, kexec@lists.infradead.org, linux-modules@vger.kernel.org, fsdevel@vger.kernel.org, David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Kees Cook <keescook@chromium.org>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, Eric Biederman <ebiederm@xmission.com>, Rusty Russell <rusty@rustcorp.com.au> Subject: Re: [PATCH v3 14/22] security: define kernel_read_file hook Date: Thu, 11 Feb 2016 08:54:01 -0800 [thread overview] Message-ID: <56BCBCA9.3040102@schaufler-ca.com> (raw) In-Reply-To: <1454526390-19792-15-git-send-email-zohar@linux.vnet.ibm.com> On 2/3/2016 11:06 AM, Mimi Zohar wrote: > The kernel_read_file security hook is called prior to reading the file > into memory. > > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Being able to deny the read prior to performing any real work makes a lot of sense. > --- > fs/exec.c | 4 ++++ > include/linux/ima.h | 6 ++++++ > include/linux/lsm_hooks.h | 8 ++++++++ > include/linux/security.h | 7 +++++++ > security/integrity/ima/ima_main.c | 16 ++++++++++++++++ > security/security.c | 12 ++++++++++++ > 6 files changed, 53 insertions(+) > > diff --git a/fs/exec.c b/fs/exec.c > index 5629958..1d39c4e 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -842,6 +842,10 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, > if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0) > return -EINVAL; > > + ret = security_kernel_read_file(file, id); > + if (ret) > + return ret; > + > i_size = i_size_read(file_inode(file)); > if (max_size > 0 && i_size > max_size) > return -EFBIG; > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 7aea486..6adcaea 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask, int opened); > extern void ima_file_free(struct file *file); > extern int ima_file_mmap(struct file *file, unsigned long prot); > extern int ima_module_check(struct file *file); > +extern int ima_read_file(struct file *file, enum kernel_read_file_id id); > extern int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum kernel_read_file_id id); > > @@ -48,6 +49,11 @@ static inline int ima_module_check(struct file *file) > return 0; > } > > +static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) > +{ > + return 0; > +} > + > static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, > enum kernel_read_file_id id) > { > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7d04a12..d32b7bd 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -552,6 +552,12 @@ > * the kernel module to load. If the module is being loaded from a blob, > * this argument will be NULL. > * Return 0 if permission is granted. > + * @kernel_read_file: > + * Read a file specified by userspace. > + * @file contains the file structure pointing to the file being read > + * by the kernel. > + * @id kernel read file identifier > + * Return 0 if permission is granted. > * @kernel_post_read_file: > * Read a file specified by userspace. > * @file contains the file structure pointing to the file being read > @@ -1455,6 +1461,7 @@ union security_list_options { > int (*kernel_create_files_as)(struct cred *new, struct inode *inode); > int (*kernel_module_request)(char *kmod_name); > int (*kernel_module_from_file)(struct file *file); > + int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id); > int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id); > int (*task_fix_setuid)(struct cred *new, const struct cred *old, > @@ -1715,6 +1722,7 @@ struct security_hook_heads { > struct list_head cred_transfer; > struct list_head kernel_act_as; > struct list_head kernel_create_files_as; > + struct list_head kernel_read_file; > struct list_head kernel_post_read_file; > struct list_head kernel_module_request; > struct list_head kernel_module_from_file; > diff --git a/include/linux/security.h b/include/linux/security.h > index cee1349..071fb74 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -302,6 +302,7 @@ int security_kernel_act_as(struct cred *new, u32 secid); > int security_kernel_create_files_as(struct cred *new, struct inode *inode); > int security_kernel_module_request(char *kmod_name); > int security_kernel_module_from_file(struct file *file); > +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); > int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id); > int security_task_fix_setuid(struct cred *new, const struct cred *old, > @@ -863,6 +864,12 @@ static inline int security_kernel_module_from_file(struct file *file) > return 0; > } > > +static inline int security_kernel_read_file(struct file *file, > + enum kernel_read_file_id id) > +{ > + return 0; > +} > + > static inline int security_kernel_post_read_file(struct file *file, > char *buf, loff_t size, > enum kernel_read_file_id id) > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 4a5db31..6f79bdf 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -338,6 +338,22 @@ int ima_module_check(struct file *file) > } > > /** > + * ima_read_file - pre-measure/appraise hook decision based on policy > + * @file: pointer to the file to be measured/appraised/audit > + * @read_id: caller identifier > + * > + * Permit reading a file based on policy. The policy rules are written > + * in terms of the policy identifier. Appraising the integrity of > + * a file requires a file descriptor. > + * > + * For permission return 0, otherwise return -EACCES. > + */ > +int ima_read_file(struct file *file, enum kernel_read_file_id read_id) > +{ > + return 0; > +} > + > +/** > * ima_post_read_file - in memory collect/appraise/audit measurement > * @file: pointer to the file to be measured/appraised/audit > * @buf: pointer to in memory file contents > diff --git a/security/security.c b/security/security.c > index 81a4c3a..1728fe2 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -899,6 +899,16 @@ int security_kernel_module_from_file(struct file *file) > return ima_module_check(file); > } > > +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) > +{ > + int ret; > + > + ret = call_int_hook(kernel_read_file, 0, file, id); > + if (ret) > + return ret; > + return ima_read_file(file, id); > +} > + > int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id) > { > @@ -1695,6 +1705,8 @@ struct security_hook_heads security_hook_heads = { > LIST_HEAD_INIT(security_hook_heads.kernel_module_request), > .kernel_module_from_file = > LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file), > + .kernel_read_file = > + LIST_HEAD_INIT(security_hook_heads.kernel_read_file), > .kernel_post_read_file = > LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file), > .task_fix_setuid = _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-02-11 17:00 UTC|newest] Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:45 ` Petko Manolov 2016-02-07 19:45 ` Petko Manolov 2016-02-10 19:33 ` Dmitry Kasatkin 2016-02-10 19:33 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:46 ` Petko Manolov 2016-02-07 19:46 ` Petko Manolov 2016-02-10 19:35 ` Dmitry Kasatkin 2016-02-10 19:35 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:26 ` Kees Cook 2016-02-04 17:26 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:27 ` Kees Cook 2016-02-04 17:27 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:36 ` Kees Cook 2016-02-04 17:36 ` Kees Cook 2016-02-04 20:26 ` Luis R. Rodriguez 2016-02-04 20:26 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:41 ` Kees Cook 2016-02-04 17:41 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:41 ` Kees Cook 2016-02-04 17:41 ` Kees Cook 2016-02-04 19:45 ` Luis R. Rodriguez 2016-02-04 19:45 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-10 19:58 ` Dmitry Kasatkin 2016-02-10 19:58 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-10 20:27 ` Dmitry Kasatkin 2016-02-10 20:27 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:46 ` Kees Cook 2016-02-04 17:46 ` Kees Cook 2016-02-04 19:47 ` Luis R. Rodriguez 2016-02-04 19:47 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:56 ` Kees Cook 2016-02-04 17:56 ` Kees Cook 2016-02-04 19:51 ` Luis R. Rodriguez 2016-02-04 19:51 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:57 ` Kees Cook 2016-02-04 17:57 ` Kees Cook 2016-02-04 19:54 ` Luis R. Rodriguez 2016-02-04 19:54 ` Luis R. Rodriguez 2016-02-11 16:54 ` Casey Schaufler [this message] 2016-02-11 16:54 ` Casey Schaufler 2016-02-11 19:35 ` Mimi Zohar 2016-02-11 19:35 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:58 ` Kees Cook 2016-02-04 17:58 ` Kees Cook 2016-02-04 19:55 ` Luis R. Rodriguez 2016-02-04 19:55 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 18:04 ` Kees Cook 2016-02-04 18:04 ` Kees Cook 2016-02-04 19:56 ` Luis R. Rodriguez 2016-02-04 19:56 ` Luis R. Rodriguez 2016-02-05 0:19 ` Mimi Zohar 2016-02-05 0:19 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:56 ` Petko Manolov 2016-02-07 19:56 ` Petko Manolov 2016-02-10 20:18 ` Dmitry Kasatkin 2016-02-10 20:18 ` Dmitry Kasatkin 2016-02-10 23:14 ` Mimi Zohar 2016-02-10 23:14 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 18:05 ` Kees Cook 2016-02-04 18:05 ` Kees Cook 2016-02-04 19:57 ` Luis R. Rodriguez 2016-02-04 19:57 ` Luis R. Rodriguez 2016-02-12 12:50 ` Dave Young 2016-02-12 12:50 ` Dave Young 2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:10 ` Petko Manolov 2016-02-07 20:10 ` Petko Manolov 2016-02-08 23:34 ` Mimi Zohar 2016-02-08 23:34 ` Mimi Zohar 2016-02-10 21:09 ` Dmitry Kasatkin 2016-02-10 21:09 ` Dmitry Kasatkin 2016-02-10 23:21 ` Mimi Zohar 2016-02-10 23:21 ` Mimi Zohar [not found] ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com> 2016-02-11 2:08 ` Mimi Zohar 2016-02-11 2:08 ` Mimi Zohar 2016-02-11 8:47 ` Dmitry Kasatkin 2016-02-11 8:47 ` Dmitry Kasatkin 2016-02-11 12:16 ` Mimi Zohar 2016-02-11 12:16 ` Mimi Zohar 2016-02-12 12:53 ` Dave Young 2016-02-12 12:53 ` Dave Young 2016-02-12 13:09 ` Mimi Zohar 2016-02-12 13:09 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:59 ` Petko Manolov 2016-02-07 19:59 ` Petko Manolov 2016-02-08 9:58 ` Dmitry Kasatkin 2016-02-08 9:58 ` Dmitry Kasatkin 2016-02-08 10:35 ` Petko Manolov 2016-02-08 10:35 ` Petko Manolov 2016-02-08 10:45 ` Dmitry Kasatkin 2016-02-08 10:45 ` Dmitry Kasatkin 2016-02-08 21:12 ` Mimi Zohar 2016-02-08 21:12 ` Mimi Zohar 2016-02-09 7:47 ` Petko Manolov 2016-02-09 7:47 ` Petko Manolov 2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:01 ` Petko Manolov 2016-02-07 20:01 ` Petko Manolov 2016-02-10 20:22 ` Dmitry Kasatkin 2016-02-10 20:22 ` Dmitry Kasatkin 2016-02-10 23:15 ` Mimi Zohar 2016-02-10 23:15 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:02 ` Petko Manolov 2016-02-07 20:02 ` Petko Manolov 2016-02-10 20:24 ` Dmitry Kasatkin 2016-02-10 20:24 ` Dmitry Kasatkin 2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook 2016-02-04 18:15 ` Kees Cook 2016-02-04 23:54 ` Mimi Zohar 2016-02-04 23:54 ` Mimi Zohar
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=56BCBCA9.3040102@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=dhowells@redhat.com \ --cc=dmitry.kasatkin@gmail.com \ --cc=dmitry.torokhov@gmail.com \ --cc=dwmw2@infradead.org \ --cc=ebiederm@xmission.com \ --cc=fsdevel@vger.kernel.org \ --cc=keescook@chromium.org \ --cc=kexec@lists.infradead.org \ --cc=linux-modules@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mcgrof@suse.com \ --cc=rusty@rustcorp.com.au \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.