Re: [PATCH] IMA: policy can be updated zero times

2015-12-23 Thread Petko Manolov
On 15-12-22 16:50:01, Sasha Levin wrote: > On 12/22/2015 04:40 PM, Petko Manolov wrote: > >> Thanks, Sasha. By the time ima_update_policy() is called > >> >ima_release_policy() has already output the policy update status > >> >message. I guess an empty policy could be considered a valid policy.

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Herbert Xu
On Wed, Dec 23, 2015 at 06:33:53AM -0800, Tadeusz Struk wrote: > > Changes in v4: > - Flatten both patches into one to avoid bisect compilation problems. Why is this necessary? Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key:

[PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Tadeusz Struk
This patch converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Tadeusz Struk
On 12/23/2015 06:51 AM, Herbert Xu wrote: >> > Changes in v4: >> > - Flatten both patches into one to avoid bisect compilation problems. > Why is this necessary? Because the first patch modifies the struct public_key and removes the MPIs from it, which the code modified in the second patch still

Re: [RFC PATCH 00/17] CALIPSO implementation

2015-12-23 Thread Paul Moore
On Tue, Dec 22, 2015 at 12:28 PM, Casey Schaufler wrote: > On 12/22/2015 3:46 AM, Huw Davies wrote: >> This patch series implements RFC 5570 - Common Architecture Label IPv6 >> Security Option (CALIPSO). Its goal is to set MLS sensitivity labels >> on IPv6 packets using a

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Tadeusz Struk
On 12/23/2015 12:21 PM, Herbert Xu wrote: > Why not just leave the MPIs in the structure and only remove them > by adding a third patch? Right, I think that's a better way of resolving this. v5 on it's way. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe

[PATCH v2 2/7] ima: load policy using path

2015-12-23 Thread Mimi Zohar
From: Dmitry Kasatkin We currently cannot do appraisal or signature vetting of IMA policies since we currently can only load IMA policies by writing the contents of the policy directly in, as follows: cat policy-file > /ima/policy If we provide the kernel the path to

[PATCH v2 7/7] ima: require signed IMA policy

2015-12-23 Thread Mimi Zohar
Require the IMA policy to be signed when additional rules can be added. Changelog v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 7 +++ 1 file changed, 7

[PATCH v5 1/3] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Tadeusz Struk
This patch converts the module verification code to the new akcipher API. Signed-off-by: Tadeusz Struk --- crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +-

[PATCH v5 2/3] integrity: convert digsig to akcipher api

2015-12-23 Thread Tadeusz Struk
Convert asymmetric_verify to akcipher api. Signed-off-by: Tadeusz Struk --- security/integrity/Kconfig |1 + security/integrity/digsig_asymmetric.c | 10 +++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git

[PATCH v5 0/3] crypto: KEYS: convert public key to akcipher api

2015-12-23 Thread Tadeusz Struk
This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified

[PATCH v5 3/3] crypto: public_key: remove MPIs from public_key_signature struct

2015-12-23 Thread Tadeusz Struk
After digsig_asymmetric.c is converted the MPIs can be now safely removed from the public_key_signature structure. Signed-off-by: Tadeusz Struk --- include/crypto/public_key.h | 14 +- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git

[PATCH v2 5/7] ima: measure and appraise firmware (improvement)

2015-12-23 Thread Mimi Zohar
Instead of reading the firmware twice, once for measuring/appraising the firmware and again reading the file contents into memory, this patch reads the firmware once. Signed-off-by: Mimi Zohar --- drivers/base/firmware_class.c | 5 + include/linux/ima.h

[PATCH v2 0/7] ima: measuring/appraising files read by the kernel

2015-12-23 Thread Mimi Zohar
This patch set closes a number of measurement/appraisal gaps by defining a generic function named ima_hash_and_process_file() for measuring and appraising files read by the kernel (eg. kexec image and initramfs, firmware, IMA policy). To differentiate between callers of

[PATCH v2 6/7] ima: measure and appraise the IMA policy itself

2015-12-23 Thread Mimi Zohar
Call ima_hash_and_process_file() to measure and appraise the IMA policy. This patch defines a new policy hook named POLICY_CHECK. Changelog v2: - remove S_ISREG() test Signed-off-by: Mimi Zohar --- include/linux/ima.h | 1 +

[PATCH v2 1/7] ima: separate 'security.ima' reading functionality from collect

2015-12-23 Thread Mimi Zohar
From: Dmitry Kasatkin Instead of passing pointers to pointers to ima_collect_measurent() to read and return the 'security.ima' xattr value, this patch moves the functionality to the calling process_measurement() to directly read the xattr and pass only the hash algo to

[PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

2015-12-23 Thread Mimi Zohar
This patch defines a new IMA hook ima_hash_and_process_file() for measuring and appraising files read by the kernel. The caller loads the file into memory before calling this function, which calculates the hash followed by the normal IMA policy based processing. Two new IMA policy functions

[PATCH v2 3/7] ima: provide buffer hash calculation function

2015-12-23 Thread Mimi Zohar
From: Dmitry Kasatkin This patch provides convenient buffer hash calculation function. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h| 2 ++

[PATCH v3 0/5] firmware_class: extensible firmware API

2015-12-23 Thread Luis R. Rodriguez
get to this yet. I'll be back January 13th. These patches are based on top of linux-next tag next-20151223. [0] http://lkml.kernel.org/r/1443721449-22882-1-git-send-email-mcg...@do-not-panic.com [1] http://kernelnewbies.org/KernelProjects/firmware-class-enhancements David Howells (2): firmware:

[PATCH v3 2/5] firmware: move completing fw into a helper

2015-12-23 Thread Luis R. Rodriguez
From: "Luis R. Rodriguez" This will be re-used later through a new extensible interface. Signed-off-by: Luis R. Rodriguez --- drivers/base/firmware_class.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git

[PATCH v3 4/5] firmware: generalize reading file contents as a helper

2015-12-23 Thread Luis R. Rodriguez
From: David Howells We'll want to reuse this same code later in order to read two separate types of file contents. This generalizes fw_read_file_contents() for reading a file and rebrands it as fw_read_file(). This new caller is now generic: the path used can be arbitrary

[PATCH v3 5/5] firmware: add an extensible system data helpers

2015-12-23 Thread Luis R. Rodriguez
From: "Luis R. Rodriguez" The firmware API has evolved over the years slowly, as it grows we extend it by adding new routines or at times we extend existing routines with more or less arguments. This doesn't scale well, when new arguments are added to existing routines it means

Re: [PATCH net] sctp: label accepted/peeled off sockets

2015-12-23 Thread Paul Moore
On Wednesday, December 23, 2015 04:44:09 PM Marcelo Ricardo Leitner wrote: > From: Marcelo Ricardo Leitner > > Accepted or peeled off sockets were missing a security label (e.g. > SELinux) which means that socket was in "unlabeled" state. > > This patch clones the

[PATCH v3 3/5] firmware: fold successful fw read early

2015-12-23 Thread Luis R. Rodriguez
From: David Howells We'll be folding in some more checks on fw_read_file_contents(), this will make the success case easier to follow. Signed-off-by: David Howells Signed-off-by: Luis R. Rodriguez --- drivers/base/firmware_class.c |

[PATCH v3 1/5] firmware: generalize "firmware" as "system data" helpers

2015-12-23 Thread Luis R. Rodriguez
From: "Luis R. Rodriguez" Historically firmware_class code was added to help get device driver firmware binaries but these days request_firmware*() helpers are being repurposed for general system data needed by the kernel. Annotate this before we extend firmare_class more, as

Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api

2015-12-23 Thread Herbert Xu
On Wed, Dec 23, 2015 at 06:58:55AM -0800, Tadeusz Struk wrote: > > Because the first patch modifies the struct public_key and removes the MPIs > from it, > which the code modified in the second patch still uses. If bisect only takes > the first > then the build will fail on the

Re: [PATCH] IMA: policy can be updated zero times

2015-12-23 Thread Mimi Zohar
On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote: > On 15-12-22 16:50:01, Sasha Levin wrote: > > On 12/22/2015 04:40 PM, Petko Manolov wrote: > > >> Thanks, Sasha. By the time ima_update_policy() is called > > >> >ima_release_policy() has already output the policy update status > > >>

Re: [Linux-ima-devel] [PATCH] IMA: policy can be updated zero times

2015-12-23 Thread Mimi Zohar
On Wed, 2015-12-23 at 07:24 -0500, Mimi Zohar wrote: > On Wed, 2015-12-23 at 13:47 +0200, Petko Manolov wrote: > > > On 15-12-22 16:50:01, Sasha Levin wrote: > > > On 12/22/2015 04:40 PM, Petko Manolov wrote: > > > >> Thanks, Sasha. By the time ima_update_policy() is called > > > >>

Re: [PATCH v3 1/2] crypto: KEYS: convert public key to the akcipher api

2015-12-23 Thread kbuild test robot
Hi Tadeusz, [auto build test ERROR on cryptodev/master] [also build test ERROR on v4.4-rc6 next-20151223] url: https://github.com/0day-ci/linux/commits/Tadeusz-Struk/crypto-KEYS-convert-public-key-to-akcipher-api/20151223-132001 base: https://git.kernel.org/pub/scm/linux/kernel/git