ed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/keys/key.c| 3 +--
security/keys/keyctl.c | 17 +++--
2 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/security/keys/key.c b/security/keys/key.c
index 09ef276..07a8731 100644
--- a/security/keys
On Wed, 2016-01-06 at 13:21 +, David Howells wrote:
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware.
> &g
On Tue, 2016-01-05 at 16:39 +, David Howells wrote:
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
>
> Hmmm... This is wrong. x509_key_preparse() shouldn't be
On Thu, 2016-01-07 at 00:34 +, David Howells wrote:
> David Howells wrote:
>
> > Partially revert commit 41c89b64d7184a780f12f2cccdabe65cb2408893:
> >
> > Author: Petko Manolov
> > Date: Wed Dec 2 17:47:55 2015 +0200
> > IMA: create
t; up as an attempt to load a certificate failing with -ERANGE or -EBADMSG.
> This is produced from the RSA module when the result of calculating "m =
> s^e mod n" is checked.
>
> Signed-off-by: David Howells <dhowe...@redhat.com>
> cc: David Woodhouse <david.wo
On Tue, 2015-12-29 at 07:06 -0500, Mimi Zohar wrote:
> On Tue, 2015-12-29 at 16:21 +0800, Dave Young wrote:
> This policy flexibility is needed at least until all files come from
> software providers with file signatures. (RPM has been modified to
> include file signatures.) Even th
On Tue, 2015-12-29 at 16:21 +0800, Dave Young wrote:
> Hi, Mimi
>
> On 12/28/15 at 07:51am, Mimi Zohar wrote:
> > On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote:
> > > On 12/25/15 at 09:45am, Mimi Zohar wrote:
> > > > IMA calculates the file has
On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote:
> On 12/25/15 at 09:45am, Mimi Zohar wrote:
> > IMA calculates the file hash, in this case, based on the buffer
> > contents. The hash is calculated once and used for both measurement
> > and appraisal. If the file inte
On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote:
> On 12/25/15 at 09:45am, Mimi Zohar wrote:
> > IMA calculates the file hash, in this case, based on the buffer
> > contents. The hash is calculated once and used for both measurement
> > and appraisal. If the file inte
On Fri, 2015-12-25 at 13:33 +0800, Dave Young wrote:
> Hi, Mimi
>
> CCing kexec list, not all kexec people subscribed to IMA list.
> I just subscribed to it since Vivek CCed me last time about the V1 of this
> series.
Thanks!
> On 12/23/15 at 06:55pm, Mimi Zohar wrote:
>
scription re-written by Luis R. Rodriguez
Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/iint.c | 4 +---
security/integrity/ima/ima_fs.c | 39 ++-
security/int
Require the IMA policy to be signed when additional rules can be added.
Changelog v1:
- initialize the policy flag
- include IMA_APPRAISE_POLICY in the policy flag
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_policy.c | 7 +++
1 file chan
Instead of reading the firmware twice, once for measuring/appraising
the firmware and again reading the file contents into memory, this
patch reads the firmware once.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
drivers/base/firmware_class.c | 5 +
include/linux
image and initramfs.
Mimi
Dmitry Kasatkin (3):
ima: separate 'security.ima' reading functionality from collect
ima: load policy using path
ima: provide buffer hash calculation function
Mimi Zohar (4):
ima: measure and appraise kexec image and initramfs
ima: measure and appraise firmware
Call ima_hash_and_process_file() to measure and appraise the IMA policy.
This patch defines a new policy hook named POLICY_CHECK.
Changelog v2:
- remove S_ISREG() test
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
include/linux/ima.h | 1 +
security/int
h algo to the ima_collect_measurement().
Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h | 15 +++
security/integrity/ima/ima_api.c | 15 +++
secu
the kexec image and initramfs.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
Documentation/ABI/testing/ima_policy | 2 +-
include/linux/ima.h | 16 ++
kernel/kexec_file.c | 24
security/integrity/iint.c
From: Dmitry Kasatkin <d.kasat...@samsung.com>
This patch provides convenient buffer hash calculation function.
Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h| 2 ++
secu
On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote:
> On 15-12-22 16:50:01, Sasha Levin wrote:
> > On 12/22/2015 04:40 PM, Petko Manolov wrote:
> > >> Thanks, Sasha. By the time ima_update_policy() is called
> > >> >ima_release_policy() has already output the policy update status
> > >>
On Wed, 2015-12-23 at 07:24 -0500, Mimi Zohar wrote:
> On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote:
>
> > On 15-12-22 16:50:01, Sasha Levin wrote:
> > > On 12/22/2015 04:40 PM, Petko Manolov wrote:
> > > >> Thanks, Sasha. By th
On Mon, 2015-12-21 at 22:44 +0100, Luis R. Rodriguez wrote:
>
> Eventually, once we generalize a common read perhaps we should stuff this
> into VFS common code and provide arguments to enable callers to provide
> restrictions or requirements. Let's work together on that after the holidays.
>
>
reset EVM status when file attributes change
Mimi Zohar (3):
KEYS: prevent keys from being removed from specified keyrings
IMA: prevent keys on the .ima_blacklist from being removed
ima: update appraise flags after policy update completes
Paul Gortmaker (1):
security/integrity
On Thu, 2015-12-17 at 23:03 +0100, Luis R. Rodriguez wrote:
> On Tue, Dec 08, 2015 at 01:01:23PM -0500, Mimi Zohar wrote:
> > diff --git a/security/integrity/iint.c b/security/integrity/iint.c
> > index 8a45576..4d149c9 100644
> > --- a/security/integrity/iint.c
> > +++
On Thu, 2015-12-17 at 22:06 +0100, Luis R. Rodriguez wrote:
> On Tue, Dec 08, 2015 at 01:01:22PM -0500, Mimi Zohar wrote:
> > diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> > index 8524450..dcd902f 100644
> > --- a/drivers/base/firmware_class.c
&
On Thu, 2015-12-17 at 14:45 +0800, Dave Young wrote:
> On 12/08/15 at 02:15pm, Mimi Zohar wrote:
> > On Tue, 2015-12-08 at 13:32 -0500, Vivek Goyal wrote:
> > > On Tue, Dec 08, 2015 at 01:01:21PM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > >
On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> TPM2 supports authorization policies, which are essentially
> combinational logic statements repsenting the conditions where the data
> can be unsealed based on the TPM state. This patch enables to use
> authorization policies to seal
On Sun, 2015-12-13 at 17:42 +0200, Jarkko Sakkinen wrote:
> The trusted keys option parsing allows specifying the same option
> multiple times. The last option value specified is used.
>
> This can be seen as a regression because:
>
> * No gain.
> * Could be problematic if there is be options
On Sat, 2015-12-12 at 18:26 -0800, Tadeusz Struk wrote:
> Convert asymmetric_verify to akcipher api.
>
> Signed-off-by: Tadeusz Struk
> ---
> security/integrity/Kconfig |1 +
> security/integrity/digsig_asymmetric.c | 10 +++---
> 2 files changed,
On Thu, 2015-12-10 at 10:39 -0800, Tadeusz Struk wrote:
> Hi Mimi,
> On 12/10/2015 10:25 AM, Mimi Zohar wrote:
> >> This patch set converts the module verification and digital signature
> >> > code to the new akcipher API.
> >> > RSA implementation has b
On Thu, 2015-12-10 at 21:12 +0200, Petko Manolov wrote:
> On 15-12-08 13:01:24, Mimi Zohar wrote:
> > Require the IMA policy to be signed when additional rules can be added.
> >
> > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> > ---
> >
On Thu, 2015-12-10 at 14:37 -0500, Mimi Zohar wrote:
> On Thu, 2015-12-10 at 10:39 -0800, Tadeusz Struk wrote:
> > Hi Mimi,
> > On 12/10/2015 10:25 AM, Mimi Zohar wrote:
> > >> This patch set converts the module verification and digital signature
> > >> >
On Wed, 2015-12-09 at 15:52 -0800, Tadeusz Struk wrote:
> This patch set converts the module verification and digital signature
> code to the new akcipher API.
> RSA implementation has been removed from crypto/asymmetric_keys and the
> new API is used for cryptographic primitives.
> There is no
On Wed, 2015-12-09 at 16:24 +0200, Jarkko Sakkinen wrote:
> On Tue, Dec 08, 2015 at 06:56:17PM -0500, Mimi Zohar wrote:
> > On Tue, 2015-12-08 at 22:24 +0200, Jarkko Sakkinen wrote:
> > > On Tue, Dec 08, 2015 at 01:01:02PM +0200, Jarkko Sakkinen wrote:
> > > > On T
Require the IMA policy to be signed when additional rules can be added.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_policy.c | 4
1 file changed, 4 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_po
Instead of reading the firmware twice, once for measuring/appraising
the firmware and again reading the file contents into memory, this
patch reads the firmware once.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
drivers/base/firmware_class.c | 15 +++
i
: separate 'security.ima' reading functionality from collect
ima: load policy using path
Mimi Zohar (5):
ima: update appraise flags after policy update completes
ima: measure and appraise kexec image and initramfs
ima: measure and appraise firmware (improvement)
ima: measure and appraise the IMA
h algo to the ima_collect_measurement().
Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h | 15 +++
security/integrity/ima/ima_api.c | 15 +++
secu
On Tue, 2015-12-08 at 13:32 -0500, Vivek Goyal wrote:
> On Tue, Dec 08, 2015 at 01:01:21PM -0500, Mimi Zohar wrote:
>
> [..]
> > #ifdef CONFIG_IMA_APPRAISE
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index b70ada0..18c4a84 100644
> > --- a/ker
On Sun, 2015-11-22 at 09:41 -0500, Mimi Zohar wrote:
> On Fri, 2015-11-20 at 11:07 +, David Howells wrote:
> >
> > (*) Add Mimi's patches to allow keys/keyrings to be marked undeletable.
> > This
> > is for the purpose of creating blacklists
On Wed, 2015-12-02 at 17:47 +0200, Petko Manolov wrote:
> Difference since v5 of the patches:
>
> - better description of patch #3;
> - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags;
>
> This patch-set consists of three separate patches that do the following:
>
> 1) Allows
On Tue, 2015-12-01 at 21:58 +0200, Petko Manolov wrote:
> First off, this is not a real patch rather than my idea in a C form. I feel
> uncertain about a few points:
>
> 0) does keyrings keep a timestamp when created or last updated? David?
>
> 1) is jiffies(_64) the best thing
insert an additional or different
certificate needs to remove the existing compressed image.
Acked-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> ---
> certs/Kconfig | 16 ++
> certs/system_certificates.S | 12 ++
> scripts/.gitignore |
time it is
read, there's no need for the firmware specific cache status. This
patch removes the firmware specific cache status and replaces it
with the generic read status.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
drivers/base/firmware_class.c | 7 ++-
include
Each time kexec loads an image, ignore the kexec cached status
and re-measure/re-appraise the image. This patch replaces the
iint kexec status with a generic read status in preparation for
measuring/verifying other files.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
se
, and at the same time hash, a kexec'ed image. After reading and
hashing the file, ima_read_file_from_fd() calls ima_process_measurement()
to measure and appraise the file.
This patch defines a new policy "func" named KEXEC_CHECK to measure
and/or appraise the kexec image.
Signed-off-by:
From: Dmitry Kasatkin
Instead of playing with setting and passing pointers to pointers to the
ima_collect_measurent() to read and return 'security.ima' xattr value,
this patch moves functionality to the calling process_measurement()
to directly read xattr and pass only
On Mon, 2015-11-02 at 00:32 +0200, Petko Manolov wrote:
> This option creates IMA MOK and blacklist keyrings. IMA MOK is an
> intermediate keyring that sits between .system and .ima keyrings,
> effectively forming a simple CA hierarchy. To successfully import a key
> into .ima_mok it must be
On Tue, 2015-11-10 at 18:01 +0200, Petko Manolov wrote:
> On 15-11-09 09:30:58, Mimi Zohar wrote:
> > On Mon, 2015-11-02 at 00:39 +0200, Petko Manolov wrote:
> >
> > > +
> > > +#ifdef CONFIG_IMA_READ_POLICY
> > > +enum {
> > > + mask_err
On Mon, 2015-11-02 at 00:39 +0200, Petko Manolov wrote:
> +
> +#ifdef CONFIG_IMA_READ_POLICY
> +enum {
> + mask_err = -1,
> + mask_exec = 1, mask_write, mask_read, mask_append
> +};
> +
> +static match_table_t mask_tokens = {
> + {mask_exec, "MAY_EXEC"},
> + {mask_write,
On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
> Hi,
>
> IMA module provides functionality to load x509 certificates into the
> trusted '.ima' keyring. This is patchset adds the same functionality
> to the EVM as well. Also it provides functionality to set EVM key from
> the kernel
On Tue, 2015-11-03 at 09:39 +0200, Jarkko Sakkinen wrote:
> On Mon, Nov 02, 2015 at 07:16:49AM -0500, Mimi Zohar wrote:
> > On Fri, 2015-10-30 at 13:35 +0200, Jarkko Sakkinen wrote:
> >
> > > @@ -787,6 +791,20 @@ static int getoptions(char *c, struct
> &
On Fri, 2015-10-30 at 13:35 +0200, Jarkko Sakkinen wrote:
> @@ -787,6 +791,20 @@ static int getoptions(char *c, struct
> trusted_key_payload *pay,
> return -EINVAL;
> opt->pcrlock = lock;
> break;
> + case
On Sat, 2015-10-31 at 17:53 +0200, Jarkko Sakkinen wrote:
> Support for sealing with a policy.
>
> Two new options for trusted keys:
>
> * 'policydigest=': provide a policydigest for the seal operation.
> * 'policyhandle=': provide handle for a policy session for unsealing.
Please expand the
On Sat, 2015-10-24 at 17:04 +0300, Dmitry Kasatkin wrote:
> On Sat, Oct 24, 2015 at 3:28 PM, Petko Manolov wrote:
> > On 15-10-23 20:13:41, Dmitry Kasatkin wrote:
> >> On Fri, Oct 23, 2015 at 3:29 PM, Petko Manolov wrote:
> >> >
> >> > I was actually
On Tue, 2015-10-27 at 00:03 +0200, Petko Manolov wrote:
> On 15-10-26 22:39:28, Dmitry Kasatkin wrote:
> > Can you please still explain when multiple policy writers can content? I
> > 100%
> > understand the role of mutex
>
> Ignore the high level requirements for the moment. Every time
On Mon, 2015-10-26 at 16:01 +0200, Petko Manolov wrote:
> On 15-10-25 07:50:32, Mimi Zohar wrote:
> > On Sat, 2015-10-24 at 17:06 +0300, Dmitry Kasatkin wrote:
> >
> > > > @@ -171,9 +172,8 @@ static int __init
> > > > default_appraise_policy_setup(char *
On Sat, 2015-10-24 at 15:42 +0300, Jarkko Sakkinen wrote:
> Added 'hashalg=' option for selecting the hash algorithm.
>
> Currently available options are:
>
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3_256
Please consider using crypto/hash_info.c: hash_algo_name[], which
already define the
On Fri, 2015-10-23 at 16:05 +0300, Petko Manolov wrote:
> On 15-10-22 21:49:25, Dmitry Kasatkin wrote:
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index df30334..a292b88 100644
> > --- a/security/integrity/ima/Kconfig
> > +++
On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
> Crypto HW kernel module can possibly initialize EVM key from the
> kernel __init code to enable EVM before calling 'init' process.
> This patch provide a function evm_set_key() which can be used to
> set custom key directly to EVM without
On Wed, 2015-10-21 at 16:13 +0100, David Howells wrote:
> Here's a set of patches that changes how keys are determined to be trusted
> - currently, that's a case of whether a key has KEY_FLAG_TRUSTED set upon
> it. A keyring can then have a flag set (KEY_FLAG_TRUSTED ONLY) that
> indicates that
On Wed, 2015-10-21 at 13:21 -0400, Josh Boyer wrote:
> On Wed, Oct 21, 2015 at 1:02 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> > On Wed, 2015-10-21 at 16:13 +0100, David Howells wrote:
> >> Here's a set of patches that changes how keys are determined to be trusted
On Wed, 2015-10-21 at 14:21 -0400, Josh Boyer wrote:
> On Wed, Oct 21, 2015 at 2:11 PM, Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> > On Wed, 2015-10-21 at 13:21 -0400, Josh Boyer wrote:
> >> On Wed, Oct 21, 2015 at 1:02 PM, Mimi Zohar <zo...@linux.vnet.ibm.com>
&
On Wed, 2015-10-21 at 11:50 +0100, David Howells wrote:
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > Thinking about the blacklist keyring some more...
>
> Are we talking about a blacklist keyring that userspace can use - or can it be
> only usable by
On Wed, 2015-10-21 at 11:52 +0100, David Howells wrote:
> Petko Manolov wrote:
>
> > As far as i know there is no concept of write-once to a keyring in the
> > kernel. David will correct me if i am wrong. I wonder how hard would it be
> > to add such functionality, in case
On Wed, 2015-10-21 at 11:55 +0100, David Howells wrote:
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > > I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in
> > > this case? I guess the end result is pretty much the same from IMA v
On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote:
> On 15-10-19 14:21:42, Mimi Zohar wrote:
> > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> > > When in development it is useful to read back the IMA policy. This patch
> > > provides
On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote:
> On 15-10-20 11:21:43, Mimi Zohar wrote:
> > On Tue, 2015-10-20 at 17:43 +0300, Petko Manolov wrote:
>
> > Thinking about the blacklist keyring some more... My concern is more that
> > keys can be added and
On Tue, 2015-10-20 at 21:42 +0300, Petko Manolov wrote:
> On 15-10-20 14:32:10, Mimi Zohar wrote:
> > On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote:
> > >
> > > As far as i know there is no concept of write-once to a keyring in the
> > > kernel. Dav
On Tue, 2015-10-20 at 15:10 +0300, Petko Manolov wrote:
> On 15-10-20 08:00:29, Mimi Zohar wrote:
> > On Tue, 2015-10-20 at 10:26 +0300, Petko Manolov wrote:
> > > On 15-10-19 14:21:42, Mimi Zohar wrote:
> > > > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
Hi James,
This pull request is for a single bug fix from Dimtry to properly load
only signed certificates onto the trusted IMA keyring from the kernel.
(This patch has been in the linux-next tree).
thanks,
Mimi
The following changes since commit
049e6dde7e57f0054fdc49102e7ef4830c698b46:
On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> When in development it is useful to read back the IMA policy. This patch
> provides the functionality. However, this is a potential security hole so
> it should not be used in production-grade kernels.
Like the other IMA securityfs
On Mon, 2015-10-19 at 14:21 -0400, Mimi Zohar wrote:
> On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:
> > diff --git a/security/integrity/ima/ima_fs.c
> > b/security/integrity/ima/ima_fs.c
> > index 816d175..a3cf5c0 100644
> > --- a/security/integrity/ima/
On Tue, 2015-10-06 at 11:37 -0700, Paul E. McKenney wrote:
> On Sun, Sep 27, 2015 at 06:10:28PM +0300, Petko Manolov wrote:
> > __list_splice_init_rcu() can be used to splice lists forming both stack and
> > queue structures, depending on its arguments. It is based on the initial
> >
On Thu, 2015-09-10 at 14:17 +0300, Petko Manolov wrote:
> The .system keyring is populated at kernel build time and read-only while the
> system is running. There is no way to dynamically add other user's CA so
> .ima_root_ca was introduced as read-write keyring that stores these
> certificates.
On Sun, 2015-09-27 at 18:23 +0300, Petko Manolov wrote:
> On 15-09-23 23:06:54, Mimi Zohar wrote:
> > On Tue, 2015-09-22 at 18:19 +0300, Petko Manolov wrote:
> > >
> > > Well, this is a sore point. I don't have sufficient knowledge about how
> > > audit_rule_
On Thu, 2015-09-10 at 22:06 +0300, Dmitry Kasatkin wrote:
> If IMA_LOAD_X509 is enabled either directly or indirectly via
> IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted
> keyring from the kernel. Due to the overlook, KEY_ALLOC_TRUSTED was used in
> the
>
On Tue, 2007-06-19 at 17:23 -0500, Serge E. Hallyn wrote:
+#define get_file_security(file) ((unsigned long)(file-f_security))
+#define set_file_security(file, val) (file-f_security = (void *)val)
+
+#define get_task_security(task) ((unsigned long)(task-security))
+#define
On Tue, 2007-03-13 at 19:27 -0700, Seth Arnold wrote:
On Thu, Mar 08, 2007 at 05:58:16PM -0500, Mimi Zohar wrote:
This is a request for comments for a new Integrity Based Access
Control(IBAC) LSM module which bases access control decisions
on the new integrity framework services.
Thanks
78 matches
Mail list logo