Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez:
> On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote:
>> We shouldn't need a long-term solution. Your concern is bugs. After
>> some time surely we'll feel that we have achieved a stable solution?
>
> But this is actually the whole point:
Hi James,
This pull request is for a single bug fix from Dimtry to properly load
only signed certificates onto the trusted IMA keyring from the kernel.
(This patch has been in the linux-next tree).
thanks,
Mimi
The following changes since commit
049e6dde7e57f0054fdc49102e7ef4830c698b46:
On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote:
> We shouldn't need a long-term solution. Your concern is bugs. After
> some time surely we'll feel that we have achieved a stable solution?
But this is actually the whole point: we need a long term solution, because
they will always be
Dmitry Vyukov wrote:
> > Does the attached patch fix it for you?
>
> Yes, it fixes the crash for me.
Can I put you down as a Tested-by?
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to
On Thu, Oct 15, 2015 at 9:21 PM, David Howells wrote:
> Does the attached patch fix it for you?
Yes, it fixes the crash for me.
> David
> ---
> commit a7609e0bb3973d6ee3c9f1ecd0b6a382d99d6248
> Author: David Howells
> Date: Thu Oct 15 17:21:37 2015
On 2015-10-17 11:58, Tobias Markus wrote:
Add capability CAP_SYS_USER_NS.
Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace
when calling clone or unshare with CLONE_NEWUSER.
Rationale:
Linux 3.8 saw the introduction of unpriviledged user namespaces,
allowing unpriviledged
If request_key() is used to find a keyring, only do the search part - don't
do the construction part if the keyring was not found by the search. We
don't really want keyrings in the negative instantiated state since the
rejected/negative instantiation error value in the payload is unioned with
The following sequence of commands:
i=`keyctl add user a a @s`
keyctl request2 keyring foo bar @t
keyctl unlink $i @s
tries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set. However, if the upcall
fails, the code
On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> When in development it is useful to read back the IMA policy. This patch
> provides the functionality. However, this is a potential security hole so
> it should not be used in production-grade kernels.
Like the other IMA securityfs
On 10/19/2015 9:23 AM, Rafal Krypa wrote:
> From: Zbigniew Jasinski
>
> This feature introduces new kernel interface:
>
> - /relabel-self - for setting transition labels list
>
> This list is used to control smack label transition mechanism.
> List is set by, and per
The following changes since commit 049e6dde7e57f0054fdc49102e7ef4830c698b46:
Linux 4.3-rc4 (2015-10-04 16:57:17 +0100)
are available in the git repository at:
https://github.com/cschaufler/smack-next.git smack-for-4.4
for you to fetch changes up to 38416e53936ecf896948fdeffc36b76979117952:
On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
> On 10/07/2015 07:08 PM, Paul Moore wrote:
> > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
> > index ef63d65..1cb87b3 100644
> > --- a/ipc/kdbus/connection.c
> > +++ b/ipc/kdbus/connection.c
> > @@ -108,6 +109,14 @@
On Mon, 2015-10-19 at 14:21 -0400, Mimi Zohar wrote:
> On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> > diff --git a/security/integrity/ima/ima_fs.c
> > b/security/integrity/ima/ima_fs.c
> > index 816d175..a3cf5c0 100644
> > --- a/security/integrity/ima/ima_fs.c
> > +++
Please pull these key susbystem fixes for 4.3, per the message from David
Howells:
"Here are two patches, the first of which at least should go upstream
immediately:
(1) Prevent a user-triggerable crash in the keyrings destructor when a
negatively instantiated keyring is garbage
On Mon, 19 Oct 2015, Mimi Zohar wrote:
> Hi James,
>
> This pull request is for a single bug fix from Dimtry to properly load
> only signed certificates onto the trusted IMA keyring from the kernel.
> (This patch has been in the linux-next tree).
>
> thanks,
>
> Mimi
>
> The following changes
From: Zbigniew Jasinski
This feature introduces new kernel interface:
- /relabel-self - for setting transition labels list
This list is used to control smack label transition mechanism.
List is set by, and per process. Process can transit to new label only if
label is
16 matches
Mail list logo