Re: [PATCH] userns/capability: Add user namespace capability

Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez: > On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: >> We shouldn't need a long-term solution. Your concern is bugs. After >> some time surely we'll feel that we have achieved a stable solution? > > But this is actually the whole point:

[PULL REQUEST] IMA changes for 4.4

Hi James, This pull request is for a single bug fix from Dimtry to properly load only signed certificates onto the trusted IMA keyring from the kernel. (This patch has been in the linux-next tree). thanks, Mimi The following changes since commit 049e6dde7e57f0054fdc49102e7ef4830c698b46:

Re: [PATCH] userns/capability: Add user namespace capability

On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: > We shouldn't need a long-term solution.  Your concern is bugs.  After > some time surely we'll feel that we have achieved a stable solution? But this is actually the whole point: we need a long term solution, because they will always be

Re: GPF in keyring_destroy

Dmitry Vyukov wrote: > > Does the attached patch fix it for you? > > Yes, it fixes the crash for me. Can I put you down as a Tested-by? David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to

Re: GPF in keyring_destroy

On Thu, Oct 15, 2015 at 9:21 PM, David Howells wrote: > Does the attached patch fix it for you? Yes, it fixes the crash for me. > David > --- > commit a7609e0bb3973d6ee3c9f1ecd0b6a382d99d6248 > Author: David Howells > Date: Thu Oct 15 17:21:37 2015

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged

[PATCH 2/2] KEYS: Don't permit request_key() to construct a new keyring

If request_key() is used to find a keyring, only do the search part - don't do the construction part if the keyring was not found by the search. We don't really want keyrings in the negative instantiated state since the rejected/negative instantiation error value in the payload is unioned with

[PATCH 1/2] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring

The following sequence of commands: i=`keyctl add user a a @s` keyctl request2 keyring foo bar @t keyctl unlink $i @s tries to invoke an upcall to instantiate a keyring if one doesn't already exist by that name within the user's keyring set. However, if the upcall fails, the code

Re: [PATCH v4 3/3] Allows reading back the current IMA policy;

On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote: > When in development it is useful to read back the IMA policy. This patch > provides the functionality. However, this is a potential security hole so > it should not be used in production-grade kernels. Like the other IMA securityfs

Re: [PATCH v5] Smack: limited capability for changing process label

On 10/19/2015 9:23 AM, Rafal Krypa wrote: > From: Zbigniew Jasinski > > This feature introduces new kernel interface: > > - /relabel-self - for setting transition labels list > > This list is used to control smack label transition mechanism. > List is set by, and per

[PULL] Smack - Changes for 4.4

The following changes since commit 049e6dde7e57f0054fdc49102e7ef4830c698b46: Linux 4.3-rc4 (2015-10-04 16:57:17 +0100) are available in the git repository at: https://github.com/cschaufler/smack-next.git smack-for-4.4 for you to fetch changes up to 38416e53936ecf896948fdeffc36b76979117952:

Re: [RFC PATCH v3 2/5] lsm: introduce hooks for kdbus

On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote: > On 10/07/2015 07:08 PM, Paul Moore wrote: > > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c > > index ef63d65..1cb87b3 100644 > > --- a/ipc/kdbus/connection.c > > +++ b/ipc/kdbus/connection.c > > @@ -108,6 +109,14 @@

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On Mon, 2015-10-19 at 14:21 -0400, Mimi Zohar wrote: > On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote: > > diff --git a/security/integrity/ima/ima_fs.c > > b/security/integrity/ima/ima_fs.c > > index 816d175..a3cf5c0 100644 > > --- a/security/integrity/ima/ima_fs.c > > +++

[GIT PULL] Keys bugfixes

Please pull these key susbystem fixes for 4.3, per the message from David Howells: "Here are two patches, the first of which at least should go upstream immediately: (1) Prevent a user-triggerable crash in the keyrings destructor when a negatively instantiated keyring is garbage

Re: [PULL REQUEST] IMA changes for 4.4

On Mon, 19 Oct 2015, Mimi Zohar wrote: > Hi James, > > This pull request is for a single bug fix from Dimtry to properly load > only signed certificates onto the trusted IMA keyring from the kernel. > (This patch has been in the linux-next tree). > > thanks, > > Mimi > > The following changes

[PATCH v5] Smack: limited capability for changing process label

From: Zbigniew Jasinski This feature introduces new kernel interface: - /relabel-self - for setting transition labels list This list is used to control smack label transition mechanism. List is set by, and per process. Process can transit to new label only if label is