Re: [PATCH v2 4/9] ima: Reset EVM status upon detecting changes to the real file

Hi Stefan, kernel test robot noticed the following build errors: [auto build test ERROR on zohar-integrity/next-integrity] [also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc3 next-20240206] [cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next] [If your patch

Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI

James Bottomley wrote: > There isn't really anything more complex about an interface that takes > a log entry, and does the record an extend, than an interface which > takes a PCR extension value. So best practice would say that you > should create the ABI that you can't get wrong (log and

Re: [PATCH v2 5/9] evm: Use the inode holding the metadata to calculate metadata hash

Hi Stefan, kernel test robot noticed the following build errors: [auto build test ERROR on zohar-integrity/next-integrity] [also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc3 next-20240206] [cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next] [If your patch

Re: [PATCH 0/2] Decomplicate file_dentry()

On Fri, 02 Feb 2024 13:01:30 +0200, Amir Goldstein wrote: > Miklos, > > When posting the patches for file_user_path(), I wrote [1]: > > "This change already makes file_dentry() moot, but for now we did not > change this helper just added a WARN_ON() in ovl_d_real() to catch if we > have made

Re: [PATCH v2 9/9] ima: Record i_version of real_inode for change detection

On Tue, 2024-02-06 at 17:23 +0200, Amir Goldstein wrote: > On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > > > process_measurement() will try to detect file content changes for not-yet- > > copied-up files on a stacked filesystem based on the i_version number of > > the real inode:

Re: [PATCH v2 4/9] ima: Reset EVM status upon detecting changes to the real file

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > Piggyback the resetting of EVM status on IMA's file content detection that > is triggered when a not-yet-copied-up file on the 'lower' layer was > changed. However, since EVM only cares about changes to the file metadata, > only reset the

Re: [PATCH 2/2] fs: remove the inode argument to ->d_real() method

On Fri, Feb 2, 2024 at 3:55 PM Christian Brauner wrote: > > On Fri, Feb 02, 2024 at 02:41:16PM +0200, Amir Goldstein wrote: > > On Fri, Feb 2, 2024 at 2:19 PM Miklos Szeredi wrote: > > > > > > On Fri, 2 Feb 2024 at 12:01, Amir Goldstein wrote: > > > > > > > diff --git

Re: [PATCH v2 5/9] evm: Use the inode holding the metadata to calculate metadata hash

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > Changes to file attributes (mode bits, uid, gid) on the lower layer are > not taken into account when d_backing_inode() is used when a file is > accessed on the overlay layer and this file has not yet been copied up. > This is because

Re: [PATCH v2 1/9] ima: Rename backing_inode to real_inode

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > Rename the backing_inode variable to real_inode since it gets its value > from real_inode(). > > Suggested-by: Amir Goldstein > Signed-off-by: Stefan Berger Acked-by: Amir Goldstein > --- > security/integrity/ima/ima_main.c | 18

Re: [PATCH v2 9/9] ima: Record i_version of real_inode for change detection

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > process_measurement() will try to detect file content changes for not-yet- > copied-up files on a stacked filesystem based on the i_version number of > the real inode: !inode_eq_iversion(real_inode, iint->version) > Therefore, take a

Re: [PATCH v2 2/9] security: allow finer granularity in permitting copy-up of security xattrs

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > Copying up xattrs is solely based on the security xattr name. For finer > granularity add a dentry parameter to the security_inode_copy_up_xattr > hook definition, allowing decisions to be based on the xattr content as > well. > >

Re: [PATCH v2 7/9] fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED

On Mon, Feb 5, 2024 at 8:25 PM Stefan Berger wrote: > > Now that EVM supports RSA signatures for previously completely > unsupported filesystems rename the flag SB_I_EVM_UNSUPPORTED to > SB_I_EVM_HMAC_UNSUPPORTED to reflect that only HMAC is not supported. > > Suggested-by: Amir Goldstein >

Re: [PATCH v2 4/9] ima: Reset EVM status upon detecting changes to the real file

Hi Stefan, kernel test robot noticed the following build errors: [auto build test ERROR on zohar-integrity/next-integrity] [also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc3 next-20240206] [cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next] [If your patch

Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI

On Tue, 2024-02-06 at 00:34 -0800, Xing, Cedric wrote: [...] > I'm not familiar with existing TPM code. Per > https://elixir.free-electrons.com/linux/latest/source/drivers/char/tpm/tpm-interface.c#L314 > , > tpm_pcr_extend() doesn't seem to take/log the actual event, but only > extends the PCR.

Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI

On 2/3/2024 2:27 AM, James Bottomley wrote: On Fri, 2024-02-02 at 23:13 -0800, Kuppuswamy Sathyanarayanan wrote: On 2/2/24 10:03 PM, James Bottomley wrote: On Fri, 2024-02-02 at 17:07 -0600, Dan Middleton wrote: On 2/2/24 12:24 AM, James Bottomley wrote: On Sun, 2024-01-28 at 22:25 +0100,