[PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring

Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using

[PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

In order to enable EVM before starting 'init' process, evm_initialized needs to be non-zero. Before it was indicating that HMAC key is loaded. When EVM loads X509 before calling 'init', it is possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if

[PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

Crypto HW kernel module can possibly initialize EVM key from the kernel __init code to enable EVM before calling 'init' process. This patch provide a function evm_set_key() which can be used to set custom key directly to EVM without using KEY subsystem. Changes in v3: * error reporting moved to

[PATCHv3 5/6] evm: define EVM key max and min sizes

This patch imposes minimum key size limit. It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file. Signed-off-by: Dmitry Kasatkin --- include/linux/evm.h | 3 +++ security/integrity/evm/evm_crypto.c | 7 +++ 2 files changed, 6

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

Hi Petko, I have a question On Fri, Oct 16, 2015 at 10:31 PM, Petko Manolov wrote: > IMA policy can now be updated multiple times. The new rules get appended > to the original policy. Have in mind that the rules are scanned in FIFO > order so be careful when you add

[PATCH v2 1/1] Tags: Adding tagging feature to security modules

The Tags security module allows to attach tags to processes. Tags are accessed through the new files /proc/PID/attr/tags and /proc/PID/tasks/TID/attr/tags below named "tag file". Reading a tag file returns all the tags attached to the process (or thread). The tags are listed one per line, each

Re: [PATCH] userns/capability: Add user namespace capability

On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman wrote: > > Thank you for a creative solution to a problem that you perceive. I > appreciate it when people aim to solve problems they see. > > Tobias Markus writes: > >> On 17.10.2015 23:55, Serge E.

Re: [PATCH] userns/capability: Add user namespace capability

Andy Lutomirski writes: > At the risk of pointing out a can of worms, the attack surface also > includes things like the iptables configuration APIs, parsers, and > filter/conntrack/action modules. It is worth noting that module auto-load does not happen if the triggering

Re: [GIT PULL] KEYS: Miscellaneous patches for next

On Thu, 22 Oct 2015, David Howells wrote: > Hi James, > > Could you pull these changes into your next branch please? > > There are three groups: > > (1) Miscellaneous cleanups. > > (2) Add scripts for extracting system cert list and module sigs. > > (3) Condense the type-specific data in

[PATCH v2 0/1] Tagging: a new Security Module

INTRODUCTION Adding a feature in the kernel is not something free, it must have some interest. I will try here to explain the reasons why I am posting here a new bag of code. I studied the security of Tizen 3 [1] and modestly participated to it. Tizen 3 uses Smack as its security