On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
---
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
When fetching an inode's security label, check if it is still valid, and
try reloading it if it is not. Reloading will fail when we are in RCU
context which doesn't allow sleeping, or when we can't find a dentry for
the inode. (Reloading
Added entry for sm3-256 to the following tables:
* hash_algo_name
* hash_digest_size
Needed for TPM 2.0 trusted key sealing.
Signed-off-by: Jarkko Sakkinen
---
crypto/hash_info.c | 2 ++
include/crypto/hash_info.h | 3 +++
Documented 'hash=' option.
Signed-off-by: Jarkko Sakkinen
---
Documentation/security/keys-trusted-encrypted.txt | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Documentation/security/keys-trusted-encrypted.txt
Jarkko Sakkinen (4):
crypto: add entry for sm3-256
tpm: choose hash algorithm for sealing when using TPM 2.0
keys, trusted: select the hash algorithm
keys, trusted: update documentation for 'hash=' option
Documentation/security/keys-trusted-encrypted.txt | 3 ++
crypto/hash_info.c
Added 'hash=' option for selecting the hash algorithm for add_key()
syscall.
Signed-off-by: Jarkko Sakkinen
---
security/keys/trusted.c | 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/security/keys/trusted.c
Added hash member to the struct trusted_key_options for choosing the
hash algorithm and support for the following hash algorithms to the TPM
2.0 sealing code:
* sha1
* sha256
* sha384
* sha512
* sm3-256
The hash algorithm can be selected by using HASH_ALGO_* constants in
On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
Add a hook to invalidate an inode's security label when the cached
information becomes invalid.
Add the new hook in selinux: set a flag when a security label becomes
invalid.
Signed-off-by: Andreas Gruenbacher
On Thu, Oct 29, 2015 at 05:59:26PM +0200, Jarkko Sakkinen wrote:
> Added hash member to the struct trusted_key_options for choosing the
> hash algorithm and support for the following hash algorithms to the TPM
> 2.0 sealing code:
>
> * sha1
> * sha256
> * sha384
> * sha512
> * sm3-256
>
> The
On Thu, Oct 29, 2015 at 4:21 PM, Stephen Smalley wrote:
> On 10/28/2015 08:47 PM, Andreas Gruenbacher wrote:
>>
>> When fetching an inode's security label, check if it is still valid, and
>> try reloading it if it is not. Reloading will fail when we are in RCU
>> context which
Hi Jarkko,
[auto build test ERROR on next-20151022 -- if it's inappropriate base, please
suggest rules for selecting the more suitable base]
url:
https://github.com/0day-ci/linux/commits/Jarkko-Sakkinen/TPM2-select-hash-algorithm-for-a-trusted-key/20151030-000439
config: x86_64-acpi-redef
Hi Haggai,
On Thu, Oct 29, 2015 at 8:27 PM, Haggai Eran wrote:
> On 28/10/2015 10:29, Parav Pandit wrote:
>> 3. Resources are not defined by the RDMA cgroup. Resources are defined
>> by RDMA/IB subsystem and optionally by HCA vendor device drivers.
>> Rationale: This allows
On Tuesday, October 20, 2015 04:41:14 PM Stephen Smalley wrote:
> On Mon, Oct 19, 2015 at 6:29 PM, Paul Moore wrote:
> > On Friday, October 09, 2015 10:56:12 AM Stephen Smalley wrote:
> >> On 10/07/2015 07:08 PM, Paul Moore wrote:
> >> > diff --git a/ipc/kdbus/connection.c
On 10/14/2015 5:41 AM, Lukasz Pawelczyk wrote:
> This commit adds a new proc attribute, label_map that is required by an
> upcoming Smack namespace. In general it can be used to hold a map of
> labels, e.g. to be used in namespaces.
>
> Due to the nature of this file, the standard getprocattr hook
On 10/14/2015 5:42 AM, Lukasz Pawelczyk wrote:
> This commit uses all the changes introduced in "namespace groundwork"
> and previous preparation patches and makes smack aware of its namespace
> and mapped labels.
>
> It modifies the following functions to be namespace aware:
> - smk_access
> -
On 10/14/2015 5:42 AM, Lukasz Pawelczyk wrote:
> This commit introduces several changes to Smack to prepare it for
> namespace implementation. All the changes are related to namespaces.
>
> Overview of the changes:
> - Adds required data structures for mapped labels and functions to
> operate on
On 10/14/2015 5:42 AM, Lukasz Pawelczyk wrote:
> This patch does some small miscellaneous cleanups and additions that
> should not change the code behaviour in any way. Its only purpose is to
> shape the code in a way that the smack namespace patches would be
> smaller and easier to understand.
>
On 10/14/2015 5:41 AM, Lukasz Pawelczyk wrote:
> This commit implements 3 new LSM hooks that provide the means for LSMs
> to embed their own security context within user namespace, effectively
> creating some sort of a user_ns related security namespace.
>
> The first one to take advantage of this
On 10/14/2015 5:42 AM, Lukasz Pawelczyk wrote:
> Smackfs/syslog is analogous to onlycap and unconfined. When not filled
> they don't do anything. In such cases onlycap and unconfined displayed
> nothing when read, but syslog unconditionally displayed star. This
> doesn't work well with namespaces
On 10/14/2015 5:41 AM, Lukasz Pawelczyk wrote:
> setprocattr hook for Smack's label_map attribute needs to know the
> capabilities of file opener. Add those credentials to the hook's
> arguments.
>
> While at it add documentation on get/setprocattr hooks.
>
> Signed-off-by: Lukasz Pawelczyk
On 10/14/2015 5:41 AM, Lukasz Pawelczyk wrote:
> Add a new LSM hook called before inode's setxattr. It is required for
> LSM to be able to reliably replace the xattr's value to be set to
> filesystem in __vfs_setxattr_noperm(). Useful for mapped values, like in
> the upcoming Smack namespace
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.
Writing "$oldcontext $newcontext $tclass $taskcontext"
to
23 matches
Mail list logo