V Thu, 24 May 2018 11:34:05 -0500
ebied...@xmission.com (Eric W. Biederman) napsáno:
> Petr Tesarik writes:
>
> 2> On Thu, 24 May 2018 09:49:05 +0800
> > Dave Young wrote:
> >
> >> Hi Petr,
> >>
> >> On 05/23/18 at 10:22pm, Petr Tesarik wrote:
> >>[...]
> >> > In short, if one size fits no
Hi Eric,
On 05/24/18 at 11:41am, Eric W. Biederman wrote:
> Dave Young writes:
>
> > Hi Eric,
> > On 05/23/18 at 10:53am, Eric W. Biederman wrote:
> >> Dave Young writes:
> >>
> >> > [snip]
> >> >
> >> >> >
> >> >> > +config CRASHKERNEL_DEFAULT_THRESHOLD_MB
> >> >> > + int "System memory
On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
> I already nacked this approach because the two cases don't
> share a bit of code. When I looked closer it was even crazier.
It hasn't been clear what you meant by "the two cases don't share a
bit of code". The first attempt called
sec
Mimi Zohar writes:
> In order for LSMs and IMA-appraisal to differentiate between the
> original and new syscalls, both the original and new syscalls must call
> an LSM hook. This patch adds a call to security_kernel_read_data() in
> the original kexec syscall.
Until the lsm hook mess gets clea
I already nacked this approach because the two cases don't
share a bit of code. When I looked closer it was even crazier.
The way ima uses this hook and the post_load hook today is a travesty.
The way the security_kernel_file_read and security_kernel_file_post_read
are called today and are used
Dave Young writes:
> Hi Eric,
> On 05/23/18 at 10:53am, Eric W. Biederman wrote:
>> Dave Young writes:
>>
>> > [snip]
>> >
>> >> >
>> >> > +config CRASHKERNEL_DEFAULT_THRESHOLD_MB
>> >> > + int "System memory size threshold for kdump memory default
>> >> > reserving"
>> >> > + de
Petr Tesarik writes:
2> On Thu, 24 May 2018 09:49:05 +0800
> Dave Young wrote:
>
>> Hi Petr,
>>
>> On 05/23/18 at 10:22pm, Petr Tesarik wrote:
>>[...]
>> > In short, if one size fits none, what good is it to hardcode that "one
>> > size" into the kernel image?
>>
>> I agreed with all the thi
On Mon, May 21, 2018 at 5:14 AM, AKASHI Takahiro
wrote:
> Hi Rob,
>
> On Fri, May 18, 2018 at 10:35:52AM -0500, Rob Herring wrote:
>> On Tue, May 15, 2018 at 06:12:59PM +0100, James Morse wrote:
>> > Hi guys,
>> >
>> > (CC: +RobH, devicetree list)
>>
>> Thanks.
>>
>> > On 25/04/18 07:26, AKASHI Ta
Question: can the device access the pre-allocated buffer at any time?
(Still waiting to hear from Qualcomm...)
By allowing devices to request firmware be loaded directly into a
pre-allocated buffer, will this allow the device access to the firmware
before the kernel has verified the firmware signa
IMA by default does not measure, appraise or audit files, but can be
enabled at runtime by specifying a builtin policy on the boot command line
or by loading a custom policy.
This patch defines a build time policy, which verifies kernel modules,
firmware, kexec image, and/or the IMA policy signatu
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Changelog:
- call security_kernel_read_blob()
- rename the READING_FIRMWARE_FALLBACK kernel_read_file_id enumeration to
READING_FIRMWARE_FALLBACK_
In order for LSMs and IMA-appraisal to differentiate between the
original and new syscalls, both the original and new syscalls must call
an LSM hook. This patch adds a call to security_kernel_read_data() in
the original kexec syscall.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rod
In order for LSMs and IMA-appraisal to differentiate between the original
and new syscalls (eg. kexec, kernel modules, firmware), both the original
and new syscalls must call an LSM hook.
Commit 2e72d51b4ac3 ("security: introduce kernel_module_from_file hook")
introduced calling security_kernel_mo
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Matthew Garrett
---
security/integrity/ima/ima_main.c | 7 +++
1 file changed, 7 insertions(+)
diff --git
The original kexec_load syscall can not verify file signatures. This
patch differentiates between the kexec_load and kexec_file_load
syscalls.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rodriguez
Cc: Kees Cook
Cc: David Howells
Changelog v3:
- use switch/case
---
security/int
IMA-appraisal is mostly being used in the embedded or single purpose
closed system environments. In these environments, both the Kconfig
options and the userspace tools can be modified appropriately to limit
syscalls. For stock kernels, userspace applications need to continue to
work with older k
On Thu, 24 May 2018 15:26:27 +0800
Dave Young wrote:
> On 05/24/18 at 08:57am, Petr Tesarik wrote:
>[...]
> > What is "a very minimal initrd"? Last time I had to make a significant
> > adjustment to the estimation for openSUSE, this was caused by growing
> > user-space requirements (systemd in th
On 05/24/18 at 03:56pm, Dave Young wrote:
> > > > Instead of setting aside a significant chunk of memory nobody can use,
> > > > [...] reserve a significant chunk of memory that the kernel is prevented
> > > > from using [...], but applications are free to use it.
> > >
> > > That works great, bec
Presently the Makedumpfile.in doesn't include a uninstall rule, which is
useful in case we want to preform a reverse of the install process
done by Makefile.in
This patch adds this rule, thus making it easier to remove installed
executables and man pages in case one needs to uninstall the same.
C
> > > Instead of setting aside a significant chunk of memory nobody can use,
> > > [...] reserve a significant chunk of memory that the kernel is prevented
> > > from using [...], but applications are free to use it.
> >
> > That works great, because user space pages are filtered out in the
> > co
On 05/24/18 at 03:26pm, Dave Young wrote:
> On 05/24/18 at 08:57am, Petr Tesarik wrote:
> > On Thu, 24 May 2018 09:49:05 +0800
> > Dave Young wrote:
> >
> > > Hi Petr,
> > >
> > > On 05/23/18 at 10:22pm, Petr Tesarik wrote:
> > >[...]
> > > > In short, if one size fits none, what good is it to h
The kdump tool presently allows one to generate an ELF file containing
the ELF header, PT_NOTE and PT_LOAD segments (which can be analyzed
later by tools like 'readelf') of the crashdump read from memory, when
passed with an appropriate 'elfcorehdr' value(which represents the
physical address of th
On 05/24/18 at 08:57am, Petr Tesarik wrote:
> On Thu, 24 May 2018 09:49:05 +0800
> Dave Young wrote:
>
> > Hi Petr,
> >
> > On 05/23/18 at 10:22pm, Petr Tesarik wrote:
> >[...]
> > > In short, if one size fits none, what good is it to hardcode that "one
> > > size" into the kernel image?
> >
On 05/11/18 at 02:00pm, Yanjiang Jin wrote:
> Now, according to the kernel's memory.h, converting a virtual address to
> a physical address should be done like below:
>
> phys_addr_t __x = (phys_addr_t)(x);
> \
> __x & BIT(VA_BITS - 1) ? (__x & ~PAGE_OFFSET) + PHYS_OFFSET :
> \
>
On 05/24/18 at 08:57am, Petr Tesarik wrote:
> On Thu, 24 May 2018 09:49:05 +0800
> Dave Young wrote:
>
> > Hi Petr,
> >
> > On 05/23/18 at 10:22pm, Petr Tesarik wrote:
> >[...]
> > > In short, if one size fits none, what good is it to hardcode that "one
> > > size" into the kernel image?
> >
ho...@verge.net.au, bhsha...@redhat.com
Bcc: b...@redhat.com
Subject: Re: [PATCH] arm64: update PHYS_OFFSET to conform to kernel
Reply-To:
In-Reply-To: <1526018427-8710-2-git-send-email-yanjiang@hxt-semitech.com>
Hi Yanjiang,
On 05/11/18 at 02:00pm, Yanjiang Jin wrote:
> Now, according to th
26 matches
Mail list logo
