Hi Eric,
On Wed, Mar 1, 2023 at 10:26 PM Eric Wheeler
wrote:
>
> Hurrah! I've been looking forward to this for a long time...
>
>
> ...So if you have any commentary on the future of dm-thin with respect
> to metadata range support, or dm-thin performance in general, that I would
> be very curiou
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> Integrity Policy Enforcement (IPE) is an LSM that provides an
> complimentary approach to Mandatory Access Control than existing LSMs
> today.
>
> Existing LSMs have centered around the concept of access to a resource
> shou
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> IPE's interpretation of the what the user trusts is accomplished through
> its policy. IPE's design is to not provide support for a single trust
> provider, but to support multiple providers to enable the end-user to
> choos
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> IPE must have a centralized function to evaluate incoming callers
> against IPE's policy. This iteration of the policy against the rules
> for that specific caller is known as the evaluation loop.
>
> In addition, IPE is des
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> As is typical with LSMs, IPE uses securityfs as its interface with
> userspace. for a complete list of the interfaces and the respective
> inputs/outputs, please see the documentation under
> admin-guide/LSM/ipe.rst
>
> Sign
On Mon, Jan 30, 2023 at 5:59 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> IPE's initial goal is to control both execution and the loading of
> kernel modules based on the system's definition of trust. It
> accomplishes this by plugging into the security hooks for
> bprm_check_security, file_mprote
On Tue, Jan 31, 2023 at 12:11 PM Steve Grubb wrote:
>
> Hello,
>
> On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote:
> > From: Deven Bowers
> >
> > Users of IPE require a way to identify when and why an operation fails,
> > allowing them to both respond to violations of policy and be notif
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> IPE, like SELinux, supports a permissive mode. This mode allows policy
> authors to test and evaluate IPE policy without it effecting their
> programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS
> be reported.
>
> Thi
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> block_device structures can have valuable security properties,
> based on how they are created, and what subsystem manages them.
>
> By adding LSM storage to this structure, this data can be accessed
> at the LSM layer.
>
>
On Mon, Jan 30, 2023 at 5:58 PM Fan Wu wrote:
>
> From: Deven Bowers
>
> Allows author of IPE policy to indicate trust for a singular dm-verity
> volume, identified by roothash, through "dmverity_roothash" and all
> signed dm-verity volumes, through "dmverity_signature".
>
> Signed-off-by: Deven
On Tue, 28 Feb 2023 17:06:55 -0700, Uday Shankar wrote:
> The block layer might merge together discard requests up until the
> max_discard_segments limit is hit, but blk_insert_cloned_request checks
> the segment count against max_segments regardless of the req op. This
> can result in errors lik
On Tue, 2023-02-21 at 12:56 -0800, Brian Bunker wrote:
> A test unit ready command sent on a path in standby state will not
> result
> in a failed path. The same should be true for a path in the
> transitioning state.
>
> Signed-off-by: Brian Bunker br...@purestorage.com
In general, I'm somewhat
12 matches
Mail list logo