In dm_get_maps func, if vector_alloc_slot(mp) fails, the
mpp should be free.
Here we call free_multipath(mpp, KEEP_PATHS) to free map.
Signed-off-by: Lixiaokeng
Signed-off-by: Zhiqiang Liu
---
libmultipath/devmapper.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
Adds the policy parser and the policy loading to IPE, along with the
related securityfs entries and audit events.
Signed-off-by: Deven Bowers
---
security/ipe/Kconfig |2 +
security/ipe/Makefile|3 +
security/ipe/ipe-audit.c | 74 +-
Add a property to allow IPE policy to express rules around a specific
root-hash of a dm-verity volume.
This can be used for revocation, (when combined with the previous dm-verity
property) or the authorization of a single dm-verity volume.
Signed-off-by: Deven Bowers
---
Add a security hook call to set a security property of a block_device
in dm-verity with the root-hash that was passed to device-mapper.
Signed-off-by: Deven Bowers
---
drivers/md/dm-verity-target.c | 8
include/linux/device-mapper.h | 1 +
2 files changed, 9 insertions(+)
diff --git
Add a security blob and associated allocation, deallocation and set hooks
for a block_device structure.
Signed-off-by: Deven Bowers
---
fs/block_dev.c| 8
include/linux/fs.h| 1 +
include/linux/lsm_hook_defs.h | 5 +++
include/linux/lsm_hooks.h | 12
Allow IPE to leverage the stacked security blob infrastructure,
and enlighten IPE to the block_device security blob.
This allows IPE to have a property to express rules around a device-mapper
verity volume whose root-hash has been signed, and the signature has been
verified against the system
Add IPE's documentation to the kernel tree.
Signed-off-by: Deven Bowers
Acked-by: Jonathan Corbet
---
Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/ipe.rst | 508 ++
.../admin-guide/kernel-parameters.txt | 12 +
Add a property for IPE policy to express trust of the first superblock
where a file would be evaluated to determine trust.
Signed-off-by: Deven Bowers
---
security/ipe/Kconfig| 2 +
security/ipe/Makefile | 4 ++
security/ipe/ipe-engine.c |
Overview:
IPE is a Linux Security Module which allows for a configurable
policy to enforce integrity requirements on the whole system. It
attempts to solve the issue of Code Integrity: that any code being
executed (or files being read), are identical to the
Add the core logic of the IPE LSM, the evaluation loop (engine),
a portion of the audit system, and the skeleton of the policy
structure.
Signed-off-by: Deven Bowers
---
MAINTAINERS | 1 +
include/uapi/linux/audit.h | 4 +
security/Kconfig | 12 +-
Add a tool for the generation of an IPE policy to be compiled into the
kernel. This policy will be enforced until userland deploys and activates
a new policy.
Signed-off-by: Deven Bowers
---
MAINTAINERS | 6 ++
scripts/Makefile | 1 +
scripts/ipe/Makefile
Add a security hook call to set a security property of a block_device
in dm-verity with the results of a verified, signed root-hash.
Signed-off-by: Deven Bowers
---
drivers/md/dm-verity-target.c | 2 +-
drivers/md/dm-verity-verify-sig.c | 14 +++---
Remove trailing whitespaces and align the integrity #defines in
linux/uapi/audit.h
Signed-off-by: Deven Bowers
---
include/uapi/linux/audit.h | 32
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/include/uapi/linux/audit.h
On 7/28/2020 2:36 PM, Deven Bowers wrote:
> Add a security blob and associated allocation, deallocation and set hooks
> for a block_device structure.
>
> Signed-off-by: Deven Bowers
> ---
> fs/block_dev.c| 8
> include/linux/fs.h| 1 +
>
14 matches
Mail list logo