+0x14d/0x1dc
[ 38.280032] [8113498b] SyS_open+0x1e/0x20
[ 38.280032] [814fcf69] system_call_fastpath+0x16/0x1b
---
Dmitry Kasatkin (2):
ima: re-introduce own integrity cache lock
ima: allocate user-space
.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/ima_crypto.c | 44 ++---
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index de5b974
by introducing additional atomic iint-attr_flags to
indicate calling of the hooks. The allowed locking order is to take
the iint-mutex first and then the i_mutex.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/iint.c | 10 --
security/integrity/ima
On 9 May 2014 23:07, J. R. Okajima wrote:
>
> Mimi Zohar:
>> I assume so, as there wasn't any comment. As a temporary fix, would it
>> make sense not to measure/appraise/audit files opened with the direct-io
>> flag based policy? Define a new IMA policy option 'directio'. A sample
>> rule
On 9 May 2014 23:07, J. R. Okajima hooanon...@gmail.com wrote:
Mimi Zohar:
I assume so, as there wasn't any comment. As a temporary fix, would it
make sense not to measure/appraise/audit files opened with the direct-io
flag based policy? Define a new IMA policy option 'directio'. A sample
On 09/05/14 06:10, J. R. Okajima wrote:
> Dmitry Kasatkin:
>> Following patch replaces IMA usage of kernel_read() with special
>> version which skips security check that triggers kernel panic
>> when Apparmor and IMA appraisal are enabled together.
> I know t
On 09/05/14 06:10, J. R. Okajima wrote:
Dmitry Kasatkin:
Following patch replaces IMA usage of kernel_read() with special
version which skips security check that triggers kernel panic
when Apparmor and IMA appraisal are enabled together.
I know this is related to exit(2), but this behaviour
Hi,
Following patch replaces IMA usage of kernel_read() with special
version which skips security check that triggers kernel panic
when Apparmor and IMA appraisal are enabled together.
- Dmitry
Dmitry Kasatkin (1):
ima: introduce ima_kernel_read()
security/integrity/ima/ima_crypto.c | 32
ces special version ima_kernel_read(), which skips security,
mandatory locking checking and fsnotify. It prevents the kernel oops to happen.
Suggested-by: Eric W. Biederman
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_crypto.c | 32 +++-
1 file changed, 31
-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/ima_crypto.c | 32 +++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima
Hi,
Following patch replaces IMA usage of kernel_read() with special
version which skips security check that triggers kernel panic
when Apparmor and IMA appraisal are enabled together.
- Dmitry
Dmitry Kasatkin (1):
ima: introduce ima_kernel_read()
security/integrity/ima/ima_crypto.c | 32
On 6 May 2014 22:11, Al Viro wrote:
> On Tue, May 06, 2014 at 02:39:17PM -0400, Mimi Zohar wrote:
>
>> Al, you're not going to like this, but ima_calc_file_hash() calls
>> ima_calc_file_hash_tfm(), which already sets/unsets FMODE_READ in order
>> to calculate the file hash.
>
> And if it happens
On 6 May 2014 19:59, Al Viro wrote:
> On Tue, May 06, 2014 at 04:32:27PM +0300, Dmitry Kasatkin wrote:
>> Hi,
>>
>> I have discovered one IMA related issue.
>>
>> IMA file hash is re-calculate if needed on file close.
>>
>> It works with ftrun
Hi,
I have discovered one IMA related issue.
IMA file hash is re-calculate if needed on file close.
It works with ftruncate(fd, length) syscall, because it operates on
"opened" file.
Recalculation is happening on file close.
truncate(path, length) syscall works with path and no file open/close
On 6 May 2014 19:59, Al Viro v...@zeniv.linux.org.uk wrote:
On Tue, May 06, 2014 at 04:32:27PM +0300, Dmitry Kasatkin wrote:
Hi,
I have discovered one IMA related issue.
IMA file hash is re-calculate if needed on file close.
It works with ftruncate(fd, length) syscall, because it operates
On 6 May 2014 22:11, Al Viro v...@zeniv.linux.org.uk wrote:
On Tue, May 06, 2014 at 02:39:17PM -0400, Mimi Zohar wrote:
Al, you're not going to like this, but ima_calc_file_hash() calls
ima_calc_file_hash_tfm(), which already sets/unsets FMODE_READ in order
to calculate the file hash.
And
Hi,
I have discovered one IMA related issue.
IMA file hash is re-calculate if needed on file close.
It works with ftruncate(fd, length) syscall, because it operates on
opened file.
Recalculation is happening on file close.
truncate(path, length) syscall works with path and no file open/close
On 26 April 2014 20:42, Al Viro wrote:
> On Sat, Apr 26, 2014 at 07:54:47PM +0300, Dmitry Kasatkin wrote:
>> On 26 April 2014 16:56, Al Viro wrote:
>> > On Sat, Apr 26, 2014 at 11:58:45AM +0300, Dmitry Kasatkin wrote:
>> >
>> >> Conflict with Apparmor means
On 26 April 2014 16:56, Al Viro wrote:
> On Sat, Apr 26, 2014 at 11:58:45AM +0300, Dmitry Kasatkin wrote:
>
>> Conflict with Apparmor means with Ubuntu.
>>
>> But answering to your early question..
>> IMA does not want permission denied when measuring and r
On 26 April 2014 01:38, Eric W. Biederman wrote:
> Dmitry Kasatkin writes:
>
>> Is it really a show stopper to switch order of 2 functions as quick fix?
>> It was like that before 3.10 and seemed ok...
>
> When that is the question. The answer is yes it is a show
On 26 April 2014 01:11, Eric W. Biederman wrote:
> Dmitry Kasatkin writes:
>
>> On 26 April 2014 00:27, Eric W. Biederman wrote:
>>> Dmitry Kasatkin writes:
>>>
>>>> On 25 April 2014 23:45, Eric W. Biederman wrote:
>>>>> Dmitry Ka
On 26 April 2014 01:11, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 26 April 2014 00:27, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 25 April 2014 23:45, Eric W. Biederman ebied
On 26 April 2014 01:38, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
Is it really a show stopper to switch order of 2 functions as quick fix?
It was like that before 3.10 and seemed ok...
When that is the question. The answer is yes
On 26 April 2014 16:56, Al Viro v...@zeniv.linux.org.uk wrote:
On Sat, Apr 26, 2014 at 11:58:45AM +0300, Dmitry Kasatkin wrote:
Conflict with Apparmor means with Ubuntu.
But answering to your early question..
IMA does not want permission denied when measuring and re-measuring files
On 26 April 2014 20:42, Al Viro v...@zeniv.linux.org.uk wrote:
On Sat, Apr 26, 2014 at 07:54:47PM +0300, Dmitry Kasatkin wrote:
On 26 April 2014 16:56, Al Viro v...@zeniv.linux.org.uk wrote:
On Sat, Apr 26, 2014 at 11:58:45AM +0300, Dmitry Kasatkin wrote:
Conflict with Apparmor means
On 26 April 2014 00:46, Dmitry Kasatkin wrote:
> On 26 April 2014 00:27, Eric W. Biederman wrote:
>> Dmitry Kasatkin writes:
>>
>>> On 25 April 2014 23:45, Eric W. Biederman wrote:
>>>> Dmitry Kasatkin writes:
>>>>
>>>>> On 25
On 26 April 2014 00:27, Eric W. Biederman wrote:
> Dmitry Kasatkin writes:
>
>> On 25 April 2014 23:45, Eric W. Biederman wrote:
>>> Dmitry Kasatkin writes:
>>>
>>>> On 25 April 2014 23:01, Oleg Nesterov wrote:
>>>>> On 04/25, Eri
On 25 April 2014 23:45, Eric W. Biederman wrote:
> Dmitry Kasatkin writes:
>
>> On 25 April 2014 23:01, Oleg Nesterov wrote:
>>> On 04/25, Eric W. Biederman wrote:
>>>>
>>>> Oleg Nesterov writes:
>>>>
>>>> >
On 25 April 2014 23:01, Oleg Nesterov wrote:
> On 04/25, Eric W. Biederman wrote:
>>
>> Oleg Nesterov writes:
>>
>> > Well. I _think_ that __fput() and ima_file_free() in particular should not
>> > depend on current and/or current->nsproxy. If nothing else, fput() can be
>> > called by the
On 25/04/14 00:03, Mimi Zohar wrote:
> On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
>> Currently policy is loaded by writing policy content to
>> '/ima/policy' file.
>>
>> This patch extends policy loading meachanism with possibility
>> t
On 25/04/14 00:04, Mimi Zohar wrote:
> On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
>> This patch provides convenient buffer hash calculation function.
>>
>> Signed-off-by: Dmitry Kasatkin
> Where/how is it being used? We normally don't upstream a new fun
On 25/04/14 16:00, Dmitry Kasatkin wrote:
> Hello,
>
> I discovered a kernel panic on system running Ubuntu when IMA is enabled.
> It happens on reboot.
>
> --
> [ 106.750100] NSPROXY is NULL: error.log (/var/log/mysql/error.log)
> [ 106.750167] BUG:
Hello,
I discovered a kernel panic on system running Ubuntu when IMA is enabled.
It happens on reboot.
--
[ 106.750100] NSPROXY is NULL: error.log (/var/log/mysql/error.log)
[ 106.750167] BUG: unable to handle kernel NULL pointer dereference at
0018
[
Hello,
I discovered a kernel panic on system running Ubuntu when IMA is enabled.
It happens on reboot.
--
[ 106.750100] NSPROXY is NULL: error.log (/var/log/mysql/error.log)
[ 106.750167] BUG: unable to handle kernel NULL pointer dereference at
0018
[
On 25/04/14 16:00, Dmitry Kasatkin wrote:
Hello,
I discovered a kernel panic on system running Ubuntu when IMA is enabled.
It happens on reboot.
--
[ 106.750100] NSPROXY is NULL: error.log (/var/log/mysql/error.log)
[ 106.750167] BUG: unable to handle kernel NULL
On 25/04/14 00:04, Mimi Zohar wrote:
On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
This patch provides convenient buffer hash calculation function.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
Where/how is it being used? We normally don't upstream a new function
On 25/04/14 00:03, Mimi Zohar wrote:
On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
Currently policy is loaded by writing policy content to
'securityfs/ima/policy' file.
This patch extends policy loading meachanism with possibility
to load signed policy using a path to the policy
On 25 April 2014 23:01, Oleg Nesterov o...@redhat.com wrote:
On 04/25, Eric W. Biederman wrote:
Oleg Nesterov o...@redhat.com writes:
Well. I _think_ that __fput() and ima_file_free() in particular should not
depend on current and/or current-nsproxy. If nothing else, fput() can be
called
On 25 April 2014 23:45, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 25 April 2014 23:01, Oleg Nesterov o...@redhat.com wrote:
On 04/25, Eric W. Biederman wrote:
Oleg Nesterov o...@redhat.com writes:
Well. I _think_ that __fput
On 26 April 2014 00:27, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 25 April 2014 23:45, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 25 April 2014 23:01, Oleg Nesterov o
On 26 April 2014 00:46, Dmitry Kasatkin dmitry.kasat...@gmail.com wrote:
On 26 April 2014 00:27, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat...@gmail.com writes:
On 25 April 2014 23:45, Eric W. Biederman ebied...@xmission.com wrote:
Dmitry Kasatkin dmitry.kasat
On 24 April 2014 19:53, Mimi Zohar wrote:
> On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
>> From: Mimi Zohar
>>
>> Only public keys, with certificates signed by an existing
>> 'trusted' key on the system trusted keyring, should be added
>> to a
On 24 April 2014 19:53, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
From: Mimi Zohar zo...@linux.vnet.ibm.com
Only public keys, with certificates signed by an existing
'trusted' key on the system trusted keyring, should be added
.
Changes:
- Flaged out the code to prevent build break if system keyring
is not enabled (Dmitry).
Signed-off-by: Mimi Zohar
Signed-off-by: David Howells
Signed-off-by: Dmitry Kasatkin
---
crypto/asymmetric_keys/x509_public_key.c | 85 +++-
1 file changed, 84
.
Distributions might want to compile IMA support, but leave for the user
to decide if to enable or disable IMA functionality.
This patch provides kernel parameter 'ima=off' that allows to disable IMA.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_main.c | 12 +++-
1 file changed
Initialize EVM before IMA to prevent appraisal failure when reading
EVM X509 certificate and HMAC key.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity/Makefile b/security/integrity/Makefile
Dmitry Kasatkin (19):
integrity: initialize EVM before IMA
ima: move asymmetric keys config option
integrity: move integrity subsystem options to a separate menu
integrity: provide builtin 'trusted' keyrings
ima: create '_ima' as a builtin 'trusted' keyring
integrity: provide x509 certificate
Provide configuration option to load X509 certificate into the
_evm kernel keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig| 9 +
security/integrity/evm/evm_main.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security/integrity/evm/Kconfig b
This patch provides convenient buffer hash calculation function.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima.h| 1 +
security/integrity/ima/ima_crypto.c | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima.h b
Provide API to load x509 certificates from the kernel into the
integrity kernel keyrings.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Kconfig | 4 +++
security/integrity/digsig.c| 72 ++
security/integrity/integrity.h | 10 ++
3
Integrity subsystem got lots of options and takes more than half
of security menu.
This patch moves integrity subsystem options to a separate menu.
It does not affect existing configuration. Re-configuration is
not needed.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Kconfig | 11
will not be valid.
This patch replaces usage of opencount with busy bit.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_fs.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
For better visual appearance it is better to co-locate
asymmetric key option together with signature support.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Kconfig | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/security/integrity/Kconfig b
IMA default behavior is to forbid more than one policy update.
It easier to check at open phase if policy was already set,
so it would not be necessary to perform useless policy parsing
and removing of sysfs entry.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima.h| 1
This patch provide IMA policy loading from the kernel.
When CONFIG_IMA_KERNEL_POLICY is enabled, kernel tries
to load default /etc/ima_policy. Policy signature must
be located in /etc/ima_policy.sig.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig| 7 +++
security
Provide creation of trusted keyrings, which require all keys
added to the keyrings be signed by an existing trusted key
on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Kconfig | 4
security/integrity/digsig.c| 31
> /sys/kernel/security/ima/policy
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig | 13 +++
security/integrity/ima/ima.h| 9 +
security/integrity/ima/ima_fs.c | 2 +-
security/integrity/ima/ima_policy.c | 74 +
4 fi
.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig | 8
security/integrity/ima/ima_fs.c | 2 ++
security/integrity/ima/ima_policy.c | 23 +++
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/Kconfig b
Provide configuration option to load X509 certificate into the
_ima kernel keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig| 9 +
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security/integrity/ima/Kconfig b
parameter 'evm=off' that allows to disable EVM.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/evm.h | 5 +
security/integrity/evm/evm_main.c | 19 +--
security/integrity/evm/evm_secfs.c | 3 ++-
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git
EVM key might be initialzed in the kernel by kernel module
using HW specific way. For example such method would suite
devices with ARM Trust Zone technology.
This patch tries enable EVM by checking if evm-key already
exists in the kernel keyring.
Signed-off-by: Dmitry Kasatkin
---
security
.
However, it is recommended to use 'trusted' master key,
because 'user' master key is in non-encrypted form.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig | 8
security/integrity/evm/evm.h| 9
security/integrity/evm/evm_crypto.c | 96
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig| 9 +
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security
Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig| 8
security/integrity/evm/evm_main.c | 2 ++
2 files changed, 10 insertions(+)
diff --git a/security
Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/evm/Kconfig| 8
security/integrity/evm/evm_main.c | 2 ++
2 files changed, 10 insertions
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/Kconfig| 9 +
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions
.
However, it is recommended to use 'trusted' master key,
because 'user' master key is in non-encrypted form.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/evm/Kconfig | 8
security/integrity/evm/evm.h| 9
security/integrity/evm/evm_crypto.c
EVM key might be initialzed in the kernel by kernel module
using HW specific way. For example such method would suite
devices with ARM Trust Zone technology.
This patch tries enable EVM by checking if evm-key already
exists in the kernel keyring.
Signed-off-by: Dmitry Kasatkin d.kasat
parameter 'evm=off' that allows to disable EVM.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/evm/evm.h | 5 +
security/integrity/evm/evm_main.c | 19 +--
security/integrity/evm/evm_secfs.c | 3 ++-
3 files changed, 20 insertions(+), 7
Provide configuration option to load X509 certificate into the
_ima kernel keyring.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/Kconfig| 9 +
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security
.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/Kconfig | 8
security/integrity/ima/ima_fs.c | 2 ++
security/integrity/ima/ima_policy.c | 23 +++
3 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/security
/ima/ima_policy /sys/kernel/security/ima/policy
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/Kconfig | 13 +++
security/integrity/ima/ima.h| 9 +
security/integrity/ima/ima_fs.c | 2 +-
security/integrity/ima/ima_policy.c | 74
Provide creation of trusted keyrings, which require all keys
added to the keyrings be signed by an existing trusted key
on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/Kconfig | 4
security/integrity/digsig.c| 31
This patch provide IMA policy loading from the kernel.
When CONFIG_IMA_KERNEL_POLICY is enabled, kernel tries
to load default /etc/ima_policy. Policy signature must
be located in /etc/ima_policy.sig.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/Kconfig| 7
IMA default behavior is to forbid more than one policy update.
It easier to check at open phase if policy was already set,
so it would not be necessary to perform useless policy parsing
and removing of sysfs entry.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima
will not be valid.
This patch replaces usage of opencount with busy bit.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/ima_fs.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/security/integrity/ima/ima_fs.c b/security
For better visual appearance it is better to co-locate
asymmetric key option together with signature support.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/Kconfig | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git
Provide API to load x509 certificates from the kernel into the
integrity kernel keyrings.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/Kconfig | 4 +++
security/integrity/digsig.c| 72 ++
security/integrity
Integrity subsystem got lots of options and takes more than half
of security menu.
This patch moves integrity subsystem options to a separate menu.
It does not affect existing configuration. Re-configuration is
not needed.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security
This patch provides convenient buffer hash calculation function.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/ima.h| 1 +
security/integrity/ima/ima_crypto.c | 11 +--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/security
Provide configuration option to load X509 certificate into the
_evm kernel keyring.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/evm/Kconfig| 9 +
security/integrity/evm/evm_main.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security
pkcs7_request_asymmetric_key() patch.
Changes:
- Flaged out the code to prevent build break if system keyring
is not enabled (Dmitry).
Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
Signed-off-by: David Howells dhowe...@redhat.com
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
crypto
.
Distributions might want to compile IMA support, but leave for the user
to decide if to enable or disable IMA functionality.
This patch provides kernel parameter 'ima=off' that allows to disable IMA.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/ima/ima_main.c | 12
Initialize EVM before IMA to prevent appraisal failure when reading
EVM X509 certificate and HMAC key.
Signed-off-by: Dmitry Kasatkin d.kasat...@samsung.com
---
security/integrity/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity/Makefile b
Dmitry Kasatkin (19):
integrity: initialize EVM before IMA
ima: move asymmetric keys config option
integrity: move integrity subsystem options to a separate menu
integrity: provide builtin 'trusted' keyrings
ima: create '_ima' as a builtin 'trusted' keyring
integrity: provide x509 certificate
On Wed, Mar 5, 2014 at 6:04 PM, Mimi Zohar wrote:
> On Wed, 2014-03-05 at 11:26 +0200, Dmitry Kasatkin wrote:
>> On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar wrote:
>> > On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
>> >> On Tue, Mar 4, 2014 at 5:2
On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar wrote:
> On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
>> On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar wrote:
>> > On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
>> >> On 3/3/2014 6:39 PM, Mimi Zohar
On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
On 3/3/2014 6:39 PM, Mimi
On Wed, Mar 5, 2014 at 6:04 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Wed, 2014-03-05 at 11:26 +0200, Dmitry Kasatkin wrote:
On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
On Tue, Mar 4, 2014 at 5
On Tue, Mar 4, 2014 at 4:09 AM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> This patch replaces using of hmac version configuration parameter
>> with attribute list. It allows to build kernels which works with
>> previously labeled filesys
On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar wrote:
> On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
>> On 3/3/2014 6:39 PM, Mimi Zohar wrote:
>> > On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> >> EVM currently uses source hard co
On Tue, Mar 4, 2014 at 4:02 AM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> If keys are not enabled, EVM is not visible in the configuration menu.
>> It may be difficult to figure out what to do unless you really know.
>>
>> Ot
On Tue, Mar 4, 2014 at 4:02 AM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
If keys are not enabled, EVM is not visible in the configuration menu.
It may be difficult to figure out what to do unless you really know.
Other subsystems
On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
On 3/3/2014 6:39 PM, Mimi Zohar wrote:
On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
EVM currently uses source hard coded list of xattrs which
On Tue, Mar 4, 2014 at 4:09 AM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
This patch replaces using of hmac version configuration parameter
with attribute list. It allows to build kernels which works with
previously labeled filesystems
On Mon, Mar 3, 2014 at 3:41 PM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> Unfixed checkpatch errors make it difficult to see new errors..
>> This patch fix them.
>
> A number of these errors are a result of inconsistencies between Lin
On Mon, Mar 3, 2014 at 3:41 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
Unfixed checkpatch errors make it difficult to see new errors..
This patch fix them.
A number of these errors are a result of inconsistencies between Lindent
This patch is on the top of Joe Perches patch.
- Dmitry
On 28/02/14 16:59, Dmitry Kasatkin wrote:
> Unfixed checkpatch errors make it difficult to see new errors..
> This patch fix them.
> Some lines with over 80 chars remained unchanged to improve
> code readability.
>
> Sig
line.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_crypto.c | 180 +++-
1 file changed, 176 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 1bde8e6..baf7a4d 100644
Asynchronous hash API allows initiate hash calculation and perform
other tasks while hash is calculated.
This patch introduces using of double buffering for simultenous hashing
and reading of the next chunk of data from storage.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima
501 - 600 of 735 matches
Mail list logo