On Wed, Jun 08, 2022 at 02:16:26PM -0400, Mike Snitzer wrote:
> All looks good to me. Are you OK with me picking up the first 3 to
> send to Linus for 5.19-rc2 (given the integrity bioset fix)?
>
> And hold patch 4 until 5.20 merge?
Sounds good to me.
> Or would you prefer that cleanup to land
On Wed, Jun 08, 2022 at 01:07:39PM -0700, Casey Schaufler wrote:
> On 6/8/2022 12:01 PM, Deven Bowers wrote:
> >block_device structures can have valuable security properties,
> >based on how they are created, and what subsystem manages them.
> >
> >By adding LSM storage to this structure, this
On Wed, Jun 08, 2022 at 08:10:58PM +0100, Matthew Wilcox wrote:
> On Wed, Jun 08, 2022 at 12:01:12PM -0700, Deven Bowers wrote:
> > IPE is a Linux Security Module which takes a complimentary approach to
>
> Hello, IPE. You're looking exceptionally attractive today. Have you
> been working out?
On Wed, Jun 08, 2022 at 12:01:12PM -0700, Deven Bowers wrote:
> IPE is a Linux Security Module which takes a complimentary approach to
Hello, IPE. You're looking exceptionally attractive today. Have you
been working out?
(maybe you meant "complementary"? ;-)
--
dm-devel mailing list
Users of IPE require a way to identify when and why an operation fails,
allowing them to both respond to violations of policy and be notified
of potentially malicious actions on their systens with respect to IPE
itself.
The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy
From: Fan Wu
fsverity represents a mechanism to support both integrity and
authenticity protection of a file, supporting both signed and unsigned
digests.
An LSM which controls access to a resource based on authenticity and
integrity of said resource, can then use this data to make an informed
Allows author of IPE policy to indicate trust for a singular dm-verity
volume, identified by roothash, through "dmverity_roothash" and all
signed dm-verity volumes, through "dmverity_signature".
Signed-off-by: Deven Bowers
---
v2:
+ No Changes
v3:
+ No changes
v4:
+ No changes
v5:
+
IPE, like SELinux, supports a permissive mode. This mode allows policy
authors to test and evaluate IPE policy without it effecting their
programs. When the mode is changed, a 1423 AUDIT_TRUST_STATUS will
be reported.
Signed-off-by: Deven Bowers
---
This patch adds the following audit records:
Introduce new definitions to audit.h centered around trust
decisions and policy loading and activation, as an extension
of the mandatory access control fields.
Signed-off-by: Deven Bowers
---
v2:
+ Split evaluation loop, access control hooks,
and evaluation loop from policy parser and
As is typical with LSMs, IPE uses securityfs as its interface with
userspace. for a complete list of the interfaces and the respective
inputs/outputs, please see the documentation under
admin-guide/LSM/ipe.rst
Signed-off-by: Deven Bowers
---
v2:
+ Split evaluation loop, access control hooks,
Enables an IPE policy to be enforced from kernel start, enabling access
control based on trust from kernel startup. This is accomplished by
transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a
c-string literal that is parsed at kernel startup as an unsigned policy.
Signed-off-by:
Integrity Policy Enforcement (IPE) is an LSM that provides an
complimentary approach to Mandatory Access Control than existing LSMs
today.
Existing LSMs have centered around the concept of access to a resource
should be controlled by the current user's credentials. IPE's approach,
is that access
IPE's interpretation of the what the user trusts is accomplished through
its policy. IPE's design is to not provide support for a single trust
provider, but to support multiple providers to enable the end-user to
choose the best one to seek their needs.
This requires the policy to be rather
Add various happy/unhappy unit tests for both IPE's parser
and evaluation loop, testing the core of IPE. The missing
test gap remains the interface with userspace.
Signed-off-by: Deven Bowers
---
v1-v6:
+ Not present
v7:
Introduced
v8:
+ Remove the kunit tests with respect to the
dm-verity provides a strong guarantee of a block device's integrity. As
a generic way to check the integrity of a block device, it provides
those integrity guarantees to its lower layers, including the filesystem
level.
An LSM that control access to a resource on the system based on the
available
From: Fan Wu
Enable IPE policy authors to indicate trust for a singular fsverity
file, identified by the digest information, through "fsverity_digest"
and all files using fsverity's builtin signatures via
"fsverity_signature".
This enables file-level integrity claims to be expressed in IPE,
IPE must have a centralized function to evaluate incoming callers
against IPE's policy. This iteration of the policy for against the rules
for that specific caller is known as the evaluation loop.
Signed-off-by: Deven Bowers
---
v2:
+ Split evaluation loop, access control hooks,
and
block_device structures can have valuable security properties,
based on how they are created, and what subsystem manages them.
By adding LSM storage to this structure, this data can be accessed
at the LSM layer.
Signed-off-by: Deven Bowers
---
v2:
+ No Changes
v3:
+ Minor style changes
IPE is designed to provide system level trust guarantees, this usually
implies that trust starts from bootup with a hardware root of trust,
which validates the bootloader. After this, the bootloader verifies the
kernel and the initramfs.
As there's no currently supported integrity method for
Add IPE's admin and developer documentation to the kernel tree.
Co-developed-by: Fan Wu
Signed-off-by: Fan Wu
Signed-off-by: Deven Bowers
---
v2:
+ No Changes
v3:
+ Add Acked-by
+ Fixup code block syntax
+ Fix a minor grammatical issue.
v4:
+ Update documentation with the results
Overview:
-
IPE is a Linux Security Module which takes a complimentary approach to
access control. Whereas existing mandatory access control mechanisms
base their decisions on labels and paths, IPE instead determines
whether or not an operation should be allowed based on immutable
IPE's initial goal is to control both execution and the loading of
kernel modules based on the system's definition of trust. It
accomplishes this by plugging into the security hooks for
bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
and kernel_read_data.
Signed-off-by: Deven
On Wed, Jun 08 2022 at 2:34P -0400,
Christoph Hellwig wrote:
> Hi Mike,
>
> the first patch fixes the device mapper bioset to restore the previous
> behavior of preallocating biosets instead of allocating them at bind
> time, and to actually allocate pools for the integrity data. The
> others
On Wed, Jun 01, 2022 at 10:26:26PM +0200, mwi...@suse.com wrote:
> From: Martin Wilck
>
> Using dm-multipath with NVMe devices is increasingly becoming a niche
> configuration, as it's recommended against by the kernel community and
> various vendors. Some vendors would prefer not to see their
On Wed, Jun 08, 2022 at 07:56:27AM +, Martin Wilck wrote:
> On Tue, 2022-06-07 at 17:45 -0500, Benjamin Marzinski wrote:
> > Dell EMC would like to always use the emc_clariion checker. Currently
> > detect_checker will switch the checker to TUR for Unity arrays.
> > This can cause problems on
On Tue, Jun 07, 2022 at 08:15:16AM -0400, Tony Camuso wrote:
> On 6/7/2022 5:57 AM, Bryn M. Reeves wrote:
> > On Mon, Jun 06, 2022 at 11:43:58AM -0400, Tony Camuso wrote:
> > > Successful bootlog snippet:
> > >
> > > [3.843911] sd 5:0:0:0: [sda] Attached SCSI disk
> > > [3.848370] sd
Hi,
Pls drop this one from all stable kernel versions since it caused
regression.
Thanks,
Guoqing
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
On 6/7/2022 5:57 AM, Bryn M. Reeves wrote:
Many thanks for the reply.
On Mon, Jun 06, 2022 at 11:43:58AM -0400, Tony Camuso wrote:
Successful bootlog snippet:
[3.843911] sd 5:0:0:0: [sda] Attached SCSI disk
[3.848370] sd 6:0:0:0: [sdb] Attached SCSI disk
[3.925639] md126:
The current split between dm_table_alloc_md_mempools and
dm_alloc_md_mempools is rather arbitrary, so merge the two
into one easy to follow function.
Signed-off-by: Christoph Hellwig
---
drivers/md/dm-core.h | 3 +++
drivers/md/dm-table.c | 57 +++
Unused now, and the interface never really made a whole lot of sense to
start with.
Signed-off-by: Christoph Hellwig
---
block/bio.c | 20
include/linux/bio.h | 1 -
2 files changed, 21 deletions(-)
diff --git a/block/bio.c b/block/bio.c
index
Hi Mike,
the first patch fixes the device mapper bioset to restore the previous
behavior of preallocating biosets instead of allocating them at bind
time, and to actually allocate pools for the integrity data. The
others are cleanups on top of that.
Diffstat:
block/bio.c | 20
The use of bioset_init_from_src mean that the pre-allocated pools weren't
used for anything except parameter passing, and the integrity pool
creation got completely lost for the actual live mapped_device. Fix that
by assigning the actual preallocated dm_md_mempools to the mapped_device
and using
dm_get_reserved_rq_based_ios is only used in the core dm code, so
remove the export.
Signed-off-by: Christoph Hellwig
---
drivers/md/dm-rq.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c
index a83b98a8d2a99..4f49bbcce4f1a 100644
---
33 matches
Mail list logo
