Instead of reading the firmware twice, once for measuring/appraising
the firmware and again loading it, this patch reads the firmware
once. This patch removes ima_fw_from_file() and replaces it with a
new hook named ima_read_file_contents().
As ima_read_file_contents() re-appraises the file each
Each time kexec loads an image, ignore the kexec cached status
and re-measure/re-appraise the image. This patch replaces the
iint kexec status with a generic read status in preparation for
measuring/verifying other files.
Signed-off-by: Mimi Zohar
---
ima_process_measurements() determines whether or not a file is in policy
before calculating the file hash. Instead of reading the file once for
calculating the file hash and possibly again for loading the file into
memory, this patch defines a new IMA hook named ima_read_file_from_fd()
to read,
From: Dmitry Kasatkin
Instead of playing with setting and passing pointers to pointers to the
ima_collect_measurent() to read and return 'security.ima' xattr value,
this patch moves functionality to the calling process_measurement()
to directly read xattr and pass only
Place a system_extra_cert buffer of configurable size, right after the
system_certificate_list, so that inserted keys can be readily processed by
the existing mechanism. Added script takes a key file and a kernel image
and inserts its contents to the reserved area. The
system_certificate_list_size
If a user key gets negatively instantiated, an error code is cached in the
payload area. A negatively instantiated key may be then be positively
instantiated by updating it with valid data. However, the ->update key
type method must be aware that the error code may be there.
The following may
Hi James,
Can this be passed straight to Linus please?
Thanks,
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
When a certificate is inserted to the image using scripts/writekey, the
value of __cert_list_end does not change. The updated size can be found
out by reading the value pointed by the system_certificate_list_size
symbol.
Signed-off-by: Mehmet Kayaalp
---
On Tue, 24 Nov 2015, David Howells wrote:
> Hi James,
>
> Can this be passed straight to Linus please?
Is this triggerable by normal users?
--
James Morris
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to
Hello, chiming in late.
On Wed, Oct 28, 2015 at 01:59:15PM +0530, Parav Pandit wrote:
> Design guidelines:
> ---
> 1. There will be new rdma cgroup for accounting rdma resources
> (instead of extending device cgroup).
> Rationale: RDMA tracks different type of resources and it
10 matches
Mail list logo