Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api

On Tue, Dec 22, 2015 at 06:23:59AM -0800, Tadeusz Struk wrote: > > What about the first two. This one is completely unrelated. > It only supposed to fix some random configuration issue > reported by a build robot, which isn't really important now. > The other two convert the module verifier to the

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote: > On 22.12.2015 17:59, Huw Davies wrote: > > I'm confused about this one. AFAICS, this will drop packets that we > > can't process. We don't send the icmp error, but I can certainly add > > that. Is that what you mean? > >

Re: [PATCH] IMA: policy can be updated zero times

On December 22, 2015 9:56:28 PM GMT+02:00, Mimi Zohar wrote: >On Tue, 2015-12-22 at 08:51 -0500, Sasha Levin wrote: >> Commit "IMA: policy can now be updated multiple times" assumed that >the >> policy would be updated at least once. >> >> If there are zero updates,

Re: [PATCH] IMA: policy can be updated zero times

On 12/22/2015 04:40 PM, Petko Manolov wrote: >> Thanks, Sasha. By the time ima_update_policy() is called >> >ima_release_policy() has already output the policy update status >> >message. I guess an empty policy could be considered a valid policy. >> >Could you add a msg indicating that the new

Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api

On 12/22/2015 06:33 PM, Herbert Xu wrote: >> What about the first two. This one is completely unrelated. >> > It only supposed to fix some random configuration issue >> > reported by a build robot, which isn't really important now. >> > The other two convert the module verifier to the new API. >

[RFC PATCH 13/17] calipso: Allow request sockets to be relabelled by the lsm.

Request sockets need to have a label that takes into account the incoming connection as well as their parent's label. This is used for the outgoing SYN-ACK and for their child full-socket. Signed-off-by: Huw Davies --- include/net/netlabel.h | 6

[RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

We check lengths, checksum and the DOI. We leave checking of the level and categories for the socket layer. Signed-off-by: Huw Davies --- include/net/calipso.h | 6 ++ net/ipv6/calipso.c| 43 +++ net/ipv6/exthdrs.c| 27

[RFC PATCH 03/17] netlabel: Initial support for the CALIPSO netlink protocol.

CALIPSO is a packet labelling protocol for IPv6 which is very similar to CIPSO. It is specified in RFC 5570. Much of the code is based on the current CIPSO code. This adds support for adding passthrough-type CALIPSO DOIs through the NLBL_CALIPSO_C_ADD command. It requires attributes:

[RFC PATCH 15/17] netlabel: Pass a family parameter to netlbl_skbuff_err().

This makes it possible to route the error to the appropriate labelling engine. CALIPSO is far less verbose than CIPSO when encountering a bogus packet, so there is no need for a CALIPSO error handler. Signed-off-by: Huw Davies --- include/net/netlabel.h | 2

[RFC PATCH 08/17] ipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.

The functionality is equivalent to ipv6_renew_options() except that the newopt pointer is in kernel, not user, memory The kernel memory implementation will be used by the CALIPSO network labelling engine, which needs to be able to set IPv6 hop-by-hop options. Signed-off-by: Huw Davies

[RFC PATCH 12/17] ipv6: Allow request socks to contain IPv6 options.

If set, these will that precedence over the parent's options during both sending and child creation. If they're not set, the parent's options (if any) will be used. This is to allow the security_inet_conn_request() hook to modify the IPv6 options in just the same way that it already may do for

[RFC PATCH 04/17] netlabel: Add support for querying a CALIPSO DOI.

Query a specified DOI through the NLBL_CALIPSO_C_LIST command. It requires the attribute: NLBL_CALIPSO_A_DOI. The reply will contain: NLBL_CALIPSO_A_MTYPE Signed-off-by: Huw Davies --- include/net/netlabel.h | 4 ++ net/ipv6/calipso.c | 68

[RFC PATCH 00/17] CALIPSO implementation

This patch series implements RFC 5570 - Common Architecture Label IPv6 Security Option (CALIPSO). Its goal is to set MLS sensitivity labels on IPv6 packets using a hop-by-hop option. CALIPSO very similar to its IPv4 cousin CIPSO and much of this series is based on that code. Most of this series

[RFC PATCH 01/17] netlabel: Mark rcu pointers with __rcu.

This fixes sparse errors of the form: netlabel_domainhash.c:126:23: error: incompatible types in comparison expression (different address spaces) This patch also removes unnecessary initialization of static variables to NULL. Signed-off-by: Huw Davies ---

[RFC PATCH 07/17] netlabel: Add support for removing a CALIPSO DOI.

Remove a specified DOI through the NLBL_CALIPSO_C_REMOVE command. It requires the attribute: NLBL_CALIPSO_A_DOI. Signed-off-by: Huw Davies --- include/net/netlabel.h | 1 + net/ipv6/calipso.c | 48 +

[RFC PATCH 10/17] calipso: Set the calipso socket label to match the secattr.

CALIPSO is a hop-by-hop IPv6 option. A lot of this patch is based on the equivalent CISPO code. The main difference is due to manipulating the options in the hop-by-hop header. Signed-off-by: Huw Davies --- include/net/ipv6.h | 2 + include/net/netlabel.h

[RFC PATCH 17/17] calipso: Add a label cache.

This works in exactly the same way as the CIPSO label cache. The idea is to allow the lsm to cache the result of a secattr lookup so that it doesn't need to perform the lookup for every skbuff. It introduces two sysctl controls: calipso_cache_enable - enables/disables the cache.

[RFC PATCH 02/17] netlabel: Add an address family to domain hash entries.

The reason is to allow different labelling protocols for different address families with the same domain. This requires the addition of an address family attribute in the netlink communication protocol. It is used in several messages: NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF take it as an

[RFC PATCH 06/17] netlabel: Add support for creating a CALIPSO protocol domain mapping.

This extends the NLBL_MGMT_C_ADD and NLBL_MGMT_C_ADDDEF commands to accept CALIPSO protocol DOIs. Signed-off-by: Huw Davies --- net/netlabel/netlabel_domainhash.c | 40 +-- net/netlabel/netlabel_domainhash.h | 1 + net/netlabel/netlabel_mgmt.c

[RFC PATCH 11/17] netlabel: Prevent setsockopt() from changing the hop-by-hop option.

If a socket has a netlabel in place then don't let setsockopt() alter the socket's IPv6 hop-by-hop option. This is in the same spirit as the existing check for IPv4. Signed-off-by: Huw Davies --- security/selinux/netlabel.c | 17 - 1 file changed, 16

[RFC PATCH 05/17] netlabel: Add support for enumerating the CALIPSO DOI list.

Enumerate the DOI list through the NLBL_CALIPSO_C_LISTALL command. It takes no attributes. Signed-off-by: Huw Davies --- include/net/netlabel.h | 4 ++ net/ipv6/calipso.c | 41 net/netlabel/netlabel_calipso.c | 106

Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api

On Mon, Dec 21, 2015 at 12:59:59PM -0800, Tadeusz Struk wrote: > > The previous patch was broken, re-sending again, sorry. > > I think there is something missing in this configuration. > cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives nothing. > Anyways, this patch should fix it. No this is

Re: [PATCH v1 5/7] ima: measure and appraise firmware (improvement)

On Mon, 2015-12-21 at 22:44 +0100, Luis R. Rodriguez wrote: > > Eventually, once we generalize a common read perhaps we should stuff this > into VFS common code and provide arguments to enable callers to provide > restrictions or requirements. Let's work together on that after the holidays. > >

[RFC PATCH 14/17] calipso: Allow the lsm to label the skbuff directly.

In some cases, the lsm needs to add the label to the skbuff directly. A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4 behaviour. This allows selinux to label the skbuffs that it requires. Signed-off-by: Huw Davies --- include/net/ipv6.h |

[RFC PATCH 09/17] netlabel: Move bitmap manipulation functions to the NetLabel core.

This is to allow the CALIPSO labelling engine to use these. Signed-off-by: Huw Davies --- include/net/netlabel.h | 6 +++ net/ipv4/cipso_ipv4.c| 88 +--- net/netlabel/netlabel_kapi.c | 70

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

On Tue, Dec 22, 2015 at 02:50:20PM +0100, Hannes Frederic Sowa wrote: > On 22.12.2015 12:46, Huw Davies wrote: > > > > +/* CALIPSO RFC 5570 */ > > + > > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) > > +{ > > + const unsigned char *nh = skb_network_header(skb); > > + > > +

[PATCH] IMA: policy can be updated zero times

Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be

Re: [RFC PATCH 08/17] ipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.

On 22.12.2015 12:46, Huw Davies wrote: > The functionality is equivalent to ipv6_renew_options() except > that the newopt pointer is in kernel, not user, memory > > The kernel memory implementation will be used by the CALIPSO network > labelling engine, which needs to be able to set IPv6

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

On 22.12.2015 12:46, Huw Davies wrote: > > +/* CALIPSO RFC 5570 */ > + > +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff) > +{ > + const unsigned char *nh = skb_network_header(skb); > + > + if (nh[optoff + 1] < 8) > + goto drop; > + > + if (nh[optoff + 6] *

Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api

Hi Herbert On 12/22/2015 04:09 AM, Herbert Xu wrote: > On Mon, Dec 21, 2015 at 12:59:59PM -0800, Tadeusz Struk wrote: >> >> The previous patch was broken, re-sending again, sorry. >> >> I think there is something missing in this configuration. >> cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives

Re: [RFC PATCH 13/17] calipso: Allow request sockets to be relabelled by the lsm.

On 22.12.2015 12:46, Huw Davies wrote: > tot_len += sizeof(*opt2); > - opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC); > + if (sk) > + opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC); > + else > + opt2 = kmalloc(tot_len, GFP_ATOMIC); > if (!opt2) >

Re: [RFC PATCH 00/17] CALIPSO implementation

On Tue, Dec 22, 2015 at 09:28:37AM -0800, Casey Schaufler wrote: > On 12/22/2015 3:46 AM, Huw Davies wrote: > > This patch series implements RFC 5570 - Common Architecture Label IPv6 > > Security Option (CALIPSO). Its goal is to set MLS sensitivity labels > > on IPv6 packets using a hop-by-hop

[PATCH v3 2/2] integrity: convert digsig to akcipher api

Convert asymmetric_verify to akcipher api. Signed-off-by: Tadeusz Struk --- security/integrity/Kconfig |1 + security/integrity/digsig_asymmetric.c | 10 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git

[PATCH v3 1/2] crypto: KEYS: convert public key to the akcipher api

This patch converts the module verification code to the new akcipher API. Signed-off-by: Tadeusz Struk --- crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +-

[PATCH v3 0/2] crypto: KEYS: convert public key to akcipher api

This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified