On 7/20/20 11:44 AM, Stephen Smalley wrote:
Actually, if we used ima-ng template for selinux-policy-hash, then
instead of needing to hash the policy
first and passing the hash to IMA, we could just pass the policy as
the buffer and IMA would take care of the hashing, right?
That is correct.
On Mon, Jul 20, 2020 at 2:27 PM Lakshmi Ramasubramanian
wrote:
>
> On 7/20/20 10:49 AM, Stephen Smalley wrote:
>
> >>>
> >>> Looks like the template used is ima-ng which doesn't include the
> >>> measured buffer. Please set template to "ima-buf" in the policy.
> >>>
> >>> For example,
> >>> measur
On 7/20/20 10:49 AM, Stephen Smalley wrote:
Looks like the template used is ima-ng which doesn't include the
measured buffer. Please set template to "ima-buf" in the policy.
For example,
measure func=LSM_STATE template=ima-buf
It seems like one shouldn't need to manually specify it if it is
On Mon, Jul 20, 2020 at 1:40 PM Stephen Smalley
wrote:
>
> On Mon, Jul 20, 2020 at 1:34 PM Lakshmi Ramasubramanian
> wrote:
> >
> > On 7/20/20 10:06 AM, Stephen Smalley wrote:
> >
> > >> The above will ensure the following sequence will be measured:
> > >>#1 State A - Measured
> > >>#2 Ch
On Mon, Jul 20, 2020 at 1:34 PM Lakshmi Ramasubramanian
wrote:
>
> On 7/20/20 10:06 AM, Stephen Smalley wrote:
>
> >> The above will ensure the following sequence will be measured:
> >>#1 State A - Measured
> >>#2 Change from State A to State B - Measured
> >>#3 Change from State B bac
On 7/20/20 10:06 AM, Stephen Smalley wrote:
The above will ensure the following sequence will be measured:
#1 State A - Measured
#2 Change from State A to State B - Measured
#3 Change from State B back to State A - Since the measured data is
same as in #1, the change will be measured on
On Mon, 2020-07-20 at 13:06 -0400, Stephen Smalley wrote:
>
>
> I applied the patch series on top of the next-integrity branch, added
> measure func=LSM_STATE to ima-policy, and booted that kernel. I get
> the following entries in ascii_runtime_measurements, but seemingly
> missing the final fie
On Mon, Jul 20, 2020 at 11:17 AM Lakshmi Ramasubramanian
wrote:
> Thanks for trying out the changes. Please let me know the defects you find.
>
> Just to let you know - I am making the following change (will update in
> the next patch):
>
> => Save the last policy hash and state string in selinu
On 7/20/20 7:31 AM, Stephen Smalley wrote:
+void __init selinux_init_measurement(void)
+{
+ int i;
+
+ /*
+* enabled
+* enforcing
+* checkreqport
checkreqprot (spelling)
:( - will fix that.
What about initialized? Or do you consider that to be implicitl
On Fri, Jul 17, 2020 at 6:28 PM Lakshmi Ramasubramanian
wrote:
>
> SELinux configuration and policy are some of the critical data for this
> security module that needs to be measured. To enable this measurement
> SELinux needs to implement the interface function,
> security_measure_data(), that th
On 7/17/20 8:14 PM, kernel test robot wrote:
Hi Lakshmi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[cannot apply to pcmoore-selinux/next security/next-testing linus/master
v5.8-rc5 next-20200717]
[If your patch is applied to the wron
Hi Lakshmi,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on integrity/next-integrity]
[cannot apply to pcmoore-selinux/next security/next-testing linus/master
v5.8-rc5 next-20200717]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And wh
Hi Lakshmi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[cannot apply to pcmoore-selinux/next security/next-testing linus/master
v5.8-rc5 next-20200717]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when sub
Hi Lakshmi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[cannot apply to pcmoore-selinux/next security/next-testing linus/master
v5.8-rc5 next-20200717]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when sub
SELinux configuration and policy are some of the critical data for this
security module that needs to be measured. To enable this measurement
SELinux needs to implement the interface function,
security_measure_data(), that the LSM can call.
Define the security_measure_data() function in SELinux to
15 matches
Mail list logo