[PATCH v2 0/4] Basic trusted keys support for TPM 2.0

Basic trusted keys support: auth value and SHA256. v2: * Removed all the changes that modify the existing functions to use the new struct tpm_buf. These changes should be done separately from this patch set as they require separate QA + review. * 'keyhandle=' is now required for TPM2. Makes

Re: [PATCH v2 0/4] Basic trusted keys support for TPM 2.0

On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote: > Basic trusted keys support: auth value and SHA256. > > v2: > > * Removed all the changes that modify the existing functions to use > the new struct tpm_buf. These changes should be done separately from > this patch set as

[PATCH v2 3/4] tpm: seal/unseal for TPM 2.0

Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing trusted keys. This patch implements basic sealing and unsealing functionality for TPM 2.0: * Seal with a parent key using a 20 byte auth value. * Unseal with a parent key using a 20 byte auth value. Signed-off-by: Jarkko Sakkinen

[PATCH v2 4/7] fs: Treat foreign mounts as nosuid

From: Andy Lutomirski If a process gets access to a mount from a different user namespace, that process should not be able to take advantage of setuid files or selinux entrypoints from that filesystem. Prevent this by treating mounts from other mount namespaces and those

[PATCH v2 3/7] mtd: Check permissions towards mtd block device inode when mounting

Unprivileged users should not be able to mount mtd block devices when they lack sufficient privileges towards the block device inode. Update mount_mtd() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so privileged

[PATCH v2 5/7] selinux: Add support for unprivileged mounts from user namespaces

Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file

Re: [PATCH v2 0/4] Basic trusted keys support for TPM 2.0

On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote: > * I updated tpm_buf to a be heap based structure. Now there's one full > page of memory for variable sized messages. Also the stack is greatly > reduced. You may as well just use a skb then. Jason -- To unsubscribe from this

[PATCH v2 6/7] userns: Replace in_userns with current_in_userns

All current callers of in_userns pass current_user_ns as the first argument. Simplify by replacing in_userns with current_in_userns which checks whether current_user_ns is in the namespace supplied as an argument. Signed-off-by: Seth Forshee --- fs/namespace.c

Re: seccomp and audit_enabled

On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote: > On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote: >> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001 >> From: Tony Jones >> Date: Sat, 10 Oct 2015 19:30:49 -0700 >>

Re: seccomp and audit_enabled

On 10/13/2015 09:11 AM, Paul Moore wrote: > On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote: >> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote: >>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001 >>> From: Tony Jones

Re: [PATCH v2 0/4] Basic trusted keys support for TPM 2.0

On Tue, Oct 13, 2015 at 11:41:20AM -0600, Jason Gunthorpe wrote: > On Tue, Oct 13, 2015 at 11:11:21AM +0300, Jarkko Sakkinen wrote: > > > * I updated tpm_buf to a be heap based structure. Now there's one full > > page of memory for variable sized messages. Also the stack is greatly > >

Re: seccomp and audit_enabled

On 10/13/2015 12:19 PM, Paul Moore wrote: >> No, it's the default audit.rules (-D, -b320). No actual rules loaded. >> Let me add some instrumentation and figure out what's going on. auditd >> is masked (via systemd) but systemd-journal seems to set audit_enabled=1 >> during startup (at least

Re: [PATCH 3/4] tpm: seal/unseal for TPM 2.0

On Tue, Oct 13, 2015 at 11:34:42AM -0600, Jason Gunthorpe wrote: > On Fri, Oct 02, 2015 at 11:38:17AM +0300, Jarkko Sakkinen wrote: > > Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing > > trusted keys. > > > > This patch implements basic sealing and unsealing functionality for >