Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

Quoting Kees Cook (keesc...@chromium.org): > On Mon, Jun 4, 2018 at 7:03 AM, Mimi Zohar wrote: > > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > >> Instead of adding the security_kernel_read_file LSM hook - or defining a > >> wrapper for security_kernel_read_file LSM hook and adding it, o

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

On Mon, Jun 4, 2018 at 7:03 AM, Mimi Zohar wrote: > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: >> Instead of adding the security_kernel_read_file LSM hook - or defining a >> wrapper for security_kernel_read_file LSM hook and adding it, or >> renaming the existing hook to security_kernel_

Re: [PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall

Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > In order for LSMs and IMA-appraisal to differentiate between kexec_load > and kexec_file_load syscalls, both the original and new syscalls must > call an LSM hook. This patch adds a call to security_kernel_load_data() > in the original kexec_load sy

Re: [PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data

Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > Differentiate between the kernel reading a file from the kernel loading > data provided by userspace. This patch defines a new LSM hook named > security_kernel_load_data. > > Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn > Cc: Eric Biederman

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

On Mon, 2018-06-04 at 14:32 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > > > Instead of adding the security_kernel_read_file LSM hook - or defining a > > > wrapper for security_kernel_read_file LSM hook and

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > > Instead of adding the security_kernel_read_file LSM hook - or defining a > > wrapper for security_kernel_read_file LSM hook and adding it, or > > renaming the existing hook to security_kernel_r

Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > Instead of adding the security_kernel_read_file LSM hook - or defining a > wrapper for security_kernel_read_file LSM hook and adding it, or > renaming the existing hook to security_kernel_read_data() and adding it > - in places where the kernel

Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module

+++ Mimi Zohar [31/05/18 11:23 -0400]: Both the init_module and finit_module syscalls call either directly or indirectly the security_kernel_read_file LSM hook. This patch replaces the direct call in init_module with a call to the new security_kernel_load_data hook and makes the corresponding ch