diff for duplicates of <87fu38jq98.fsf@xmission.com>
diff --git a/a/1.txt b/N1/1.txt
index ab481d0..6a1f6c5 100644
--- a/a/1.txt
+++ b/N1/1.txt
@@ -22,11 +22,11 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>> >> instrument of policy.
>> >
>> > True, for those building their own kernel, they can disable the old
->> > syscalls. The concern is not for those building their own kernels,
->> > but for those using stock kernels.
+>> > syscalls. ?The concern is not for those building their own kernels,
+>> > but for those using stock kernels. ?
>> >
>> > By adding an LSM hook here in the kexec_load syscall, as opposed to an
->> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
+>> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently,
>> > both load_pin and SELinux are gating the kernel module syscalls based
>> > on security_kernel_read_file.
>> >
@@ -43,7 +43,7 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> Suppose a system owner wants to define a system wide policy that
> requires all code be signed - kernel modules, firmware, kexec image &
> initramfs, executables, mmapped files, etc - without having to rebuild
-> the kernel. Without a call in kexec_load that isn't possible.
+> the kernel. ?Without a call in kexec_load that isn't possible.
Of course it is. You just make it a requirement that before an
executable will be signed it will be audited to see that it doesn't
@@ -70,4 +70,8 @@ Signing is only a tool to enforce a policy. Signing by itself is not a
policy. Enforcing any quality controls in the signed executables should
trivially prevent kexec_load from being used.
-Eric
\ No newline at end of file
+Eric
+--
+To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
\ No newline at end of file
diff --git a/a/content_digest b/N1/content_digest
index 7412c7c..814f0c9 100644
--- a/a/content_digest
+++ b/N1/content_digest
@@ -17,23 +17,13 @@
"From\0ebiederm\@xmission.com (Eric W. Biederman)\0"
]
[
- "Subject\0Re: [PATCH 0/3] kexec: limit kexec_load syscall\0"
+ "Subject\0[PATCH 0/3] kexec: limit kexec_load syscall\0"
]
[
"Date\0Thu, 03 May 2018 18:03:47 -0500\0"
]
[
- "To\0Mimi Zohar <zohar\@linux.vnet.ibm.com>\0"
-]
-[
- "Cc\0Kees Cook <keescook\@chromium.org>",
- " David Howells <dhowells\@redhat.com>",
- " Matthew Garrett <mjg59\@google.com>",
- " linux-integrity\@vger.kernel.org",
- " linux-security-module\@vger.kernel.org",
- " kexec\@lists.infradead.org",
- " linux-kernel\@vger.kernel.org",
- " kernel-hardening\@lists.openwall.com\0"
+ "To\0linux-security-module\@vger.kernel.org\0"
]
[
"\0000:1\0"
@@ -66,11 +56,11 @@
">> >> instrument of policy.\n",
">> >\n",
">> > True, for those building their own kernel, they can disable the old\n",
- ">> > syscalls. \302\240The concern is not for those building their own kernels,\n",
- ">> > but for those using stock kernels. \302\240\n",
+ ">> > syscalls. ?The concern is not for those building their own kernels,\n",
+ ">> > but for those using stock kernels. ?\n",
">> >\n",
">> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n",
- ">> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n",
+ ">> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently,\n",
">> > both load_pin and SELinux are gating the kernel module syscalls based\n",
">> > on security_kernel_read_file.\n",
">> >\n",
@@ -87,7 +77,7 @@
"> Suppose a system owner wants to define a system wide policy that\n",
"> requires all code be signed - kernel modules, firmware, kexec image &\n",
"> initramfs, executables, mmapped files, etc - without having to rebuild\n",
- "> the kernel. \302\240Without a call in kexec_load that isn't possible.\n",
+ "> the kernel. ?Without a call in kexec_load that isn't possible.\n",
"\n",
"Of course it is. You just make it a requirement that before an\n",
"executable will be signed it will be audited to see that it doesn't\n",
@@ -114,7 +104,11 @@
"policy. Enforcing any quality controls in the signed executables should\n",
"trivially prevent kexec_load from being used.\n",
"\n",
- "Eric"
+ "Eric\n",
+ "--\n",
+ "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n",
+ "the body of a message to majordomo at vger.kernel.org\n",
+ "More majordomo info at http://vger.kernel.org/majordomo-info.html"
]
-a2ccf036a0320a30c6f8fb361284236834926a43f742d0208bbdbcb9584d5955
+982688310c0c2599b7e2f5a028b50c396ce8d69539988075bc339675ecbde189
diff --git a/a/1.txt b/N2/1.txt
index ab481d0..890cb3c 100644
--- a/a/1.txt
+++ b/N2/1.txt
@@ -22,11 +22,11 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>> >> instrument of policy.
>> >
>> > True, for those building their own kernel, they can disable the old
->> > syscalls. The concern is not for those building their own kernels,
->> > but for those using stock kernels.
+>> > syscalls. The concern is not for those building their own kernels,
+>> > but for those using stock kernels.
>> >
>> > By adding an LSM hook here in the kexec_load syscall, as opposed to an
->> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
+>> > IMA specific hook, other LSMs can piggy back on top of it. Currently,
>> > both load_pin and SELinux are gating the kernel module syscalls based
>> > on security_kernel_read_file.
>> >
@@ -43,7 +43,7 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> Suppose a system owner wants to define a system wide policy that
> requires all code be signed - kernel modules, firmware, kexec image &
> initramfs, executables, mmapped files, etc - without having to rebuild
-> the kernel. Without a call in kexec_load that isn't possible.
+> the kernel. Without a call in kexec_load that isn't possible.
Of course it is. You just make it a requirement that before an
executable will be signed it will be audited to see that it doesn't
diff --git a/a/content_digest b/N2/content_digest
index 7412c7c..1acd082 100644
--- a/a/content_digest
+++ b/N2/content_digest
@@ -66,11 +66,11 @@
">> >> instrument of policy.\n",
">> >\n",
">> > True, for those building their own kernel, they can disable the old\n",
- ">> > syscalls. \302\240The concern is not for those building their own kernels,\n",
- ">> > but for those using stock kernels. \302\240\n",
+ ">> > syscalls. The concern is not for those building their own kernels,\n",
+ ">> > but for those using stock kernels. \n",
">> >\n",
">> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n",
- ">> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n",
+ ">> > IMA specific hook, other LSMs can piggy back on top of it. Currently,\n",
">> > both load_pin and SELinux are gating the kernel module syscalls based\n",
">> > on security_kernel_read_file.\n",
">> >\n",
@@ -87,7 +87,7 @@
"> Suppose a system owner wants to define a system wide policy that\n",
"> requires all code be signed - kernel modules, firmware, kexec image &\n",
"> initramfs, executables, mmapped files, etc - without having to rebuild\n",
- "> the kernel. \302\240Without a call in kexec_load that isn't possible.\n",
+ "> the kernel. Without a call in kexec_load that isn't possible.\n",
"\n",
"Of course it is. You just make it a requirement that before an\n",
"executable will be signed it will be audited to see that it doesn't\n",
@@ -117,4 +117,4 @@
"Eric"
]
-a2ccf036a0320a30c6f8fb361284236834926a43f742d0208bbdbcb9584d5955
+40d193e8b96f05cea8d01c591afa39045498998fdb4e786b6c8f70fa652d8778
diff --git a/a/1.txt b/N3/1.txt
index ab481d0..11050b1 100644
--- a/a/1.txt
+++ b/N3/1.txt
@@ -70,4 +70,9 @@ Signing is only a tool to enforce a policy. Signing by itself is not a
policy. Enforcing any quality controls in the signed executables should
trivially prevent kexec_load from being used.
-Eric
\ No newline at end of file
+Eric
+
+_______________________________________________
+kexec mailing list
+kexec@lists.infradead.org
+http://lists.infradead.org/mailman/listinfo/kexec
\ No newline at end of file
diff --git a/a/content_digest b/N3/content_digest
index 7412c7c..37b7bba 100644
--- a/a/content_digest
+++ b/N3/content_digest
@@ -27,13 +27,13 @@
]
[
"Cc\0Kees Cook <keescook\@chromium.org>",
- " David Howells <dhowells\@redhat.com>",
- " Matthew Garrett <mjg59\@google.com>",
- " linux-integrity\@vger.kernel.org",
- " linux-security-module\@vger.kernel.org",
+ " kernel-hardening\@lists.openwall.com",
" kexec\@lists.infradead.org",
" linux-kernel\@vger.kernel.org",
- " kernel-hardening\@lists.openwall.com\0"
+ " Matthew Garrett <mjg59\@google.com>",
+ " David Howells <dhowells\@redhat.com>",
+ " linux-security-module\@vger.kernel.org",
+ " linux-integrity\@vger.kernel.org\0"
]
[
"\0000:1\0"
@@ -114,7 +114,12 @@
"policy. Enforcing any quality controls in the signed executables should\n",
"trivially prevent kexec_load from being used.\n",
"\n",
- "Eric"
+ "Eric\n",
+ "\n",
+ "_______________________________________________\n",
+ "kexec mailing list\n",
+ "kexec\@lists.infradead.org\n",
+ "http://lists.infradead.org/mailman/listinfo/kexec"
]
-a2ccf036a0320a30c6f8fb361284236834926a43f742d0208bbdbcb9584d5955
+c3acbb623accee99a9b35cad97e1222481dcb1fff3e27f95be8c630b493330c4
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.