Re: [PATCH] lockdown: fix coordination of kernel module signature verification

f (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ > + /* > + * If both IMA-appraisal and appended signature verification are > + * enabled, rely on the appended signature verification. > + */ > + if (sig_enforce && read_id == READING_MODULE) > return 0; > > /* permit signed certs */ > -- > 2.7.5 > I agree with the solution. Acked-by: Bruno E. O. Meneguele signature.asc Description: PGP signature

Re: [PATCH v2] ima: log message to module appraisal error

Ignore this erroneously sent email. v2 was already superseded by v3. On 05-12, Bruno E. O. Meneguele wrote: > Simple but useful message log to the user in case of module appraise is > forced and fails due to the lack of file descriptor, that might be > caused by kmod calls to compresse

[PATCH v2] ima: log message to module appraisal error

Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_main.c | 6 +- 1 file changed, 5

[PATCH v3] ima: log message to module appraisal error

From: "Bruno E. O. Meneguele" Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_

Re: [PATCH v2] ima: log message to module appraisal error

On 04-12, Joe Perches wrote: > On Mon, 2017-12-04 at 18:23 -0200, Bruno E. O. Meneguele wrote: > > Simple but useful message log to the user in case of module appraise is > > forced and fails due to the lack of file descriptor, that might be > > caused by kmod calls

[PATCH v2] ima: log message to module appraisal error

Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_main.c | 6 +- 1 file changed, 5

Re: [PATCH] ima: log message to module appraisal error

On 04-12, Bruno E. O. Meneguele wrote: > Simple but useful message log to the user in case of module appraise is > forced and fails due to the lack of file descriptor, that might be > caused by kmod calls to compressed modules. > > Signed-off-by: Bruno E. O. Meneguele > ---

[PATCH] ima: log message to module appraisal error

Simple but useful message log to the user in case of module appraise is forced and fails due to the lack of file descriptor, that might be caused by kmod calls to compressed modules. Signed-off-by: Bruno E. O. Meneguele --- security/integrity/ima/ima_main.c | 6 +- 1 file changed, 5

Re: [PATCH v3 2/2] ima: check signature enforcement against cmdline param instead of CONFIG

On 25-10, Mimi Zohar wrote: > On Wed, 2017-10-25 at 13:05 -0200, Bruno E. O. Meneguele wrote: > > On 24-10, Mimi Zohar wrote: > > > On Tue, 2017-10-24 at 15:37 -0200, Bruno E. O. Meneguele wrote: > > > > When the user requests MODULE_CHECK policy and its k

Re: [PATCH v3 2/2] ima: check signature enforcement against cmdline param instead of CONFIG

On 24-10, Mimi Zohar wrote: > On Tue, 2017-10-24 at 15:37 -0200, Bruno E. O. Meneguele wrote: > > When the user requests MODULE_CHECK policy and its kernel is compiled > > with CONFIG_MODULE_SIG_FORCE not set, all modules would not load, just > > those loaded in initram time

[PATCH v3 0/2] ima: change how MODULE_SIG_FORCE is checked on modules checking policy

1/2 - code changes to correct checkpatch.pl warnings. Bruno E. O. Meneguele (2): module: export module signature enforcement status ima: check signature enforcement against cmdline param instead of CONFIG include/linux/module.h| 7 +++ kernel/module.c

[PATCH v3 2/2] ima: check signature enforcement against cmdline param instead of CONFIG

doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Mene

[PATCH v3 1/2] module: export module signature enforcement status

ctive value of module signature enforcement, being it from CONFIG value or cmdline param. Signed-off-by: Bruno E. O. Meneguele --- include/linux/module.h | 7 +++ kernel/module.c| 10 ++ 2 files changed, 17 insertions(+) diff --git a/include/linux/module.h b/include/linux/mod

[PATCH v2 1/2] module: export module signature enforcement status

ctive value of module signature enforcement, being it from CONFIG value or cmdline param. Signed-off-by: Bruno E. O. Meneguele --- include/linux/module.h | 2 ++ kernel/module.c| 10 ++ 2 files changed, 12 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h

[PATCH v2 2/2] ima: check signature enforcement against cmdline param instead of CONFIG

doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Mene

[PATCH v2 0/2] ima: change how MODULE_SIG_FORCE is checked on modules checking policy

le(0x7f9602d6e010, 386646, "") = 0 The patchset was tested in two different kernels: 4.13.6 (Fedora 27) and 4.14.0-rc4 (integrity-next tree) Bruno E. O. Meneguele (2): module: export module signature enforcement status ima: check signature enforcement against cmdline param instead of

Re: [PATCH 1/2] module: export module signature enforcement status

On 23-10, Mimi Zohar wrote: > On Fri, 2017-10-20 at 17:19 -0200, Bruno E. O. Meneguele wrote: > > A static variable sig_enforce is used as status var to indicate the real > > value of CONFIG_MODULE_SIG_FORCE, once this one is set the var will hold > > true, but if the CONFIG

[PATCH 1/2] module: export module signature enforcement status

ctive value of module signature enforcement, being it from CONFIG value or cmdline param. Signed-off-by: Bruno E. O. Meneguele --- include/linux/module.h | 2 ++ kernel/module.c| 8 2 files changed, 10 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h

[PATCH 2/2] ima: check signature enforcement against cmdline param instead of CONFIG

doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Mene

[PATCH 0/2] ima: change how MODULE_SIG_FORCE is checked on modules checking policy

le(0x7f9602d6e010, 386646, "") = 0 The patchset was tested in two different kernels: 4.13.6 (Fedora 27) and 4.14.0-rc4 (integrity-next tree) Bruno E. O. Meneguele (2): module: export module signature enforcement status ima: check signature enforcement against cmdline param instead of

[PATCH] sched: fix typo on topology error message

Trivial typo correction on kernel/sched/topology.c pr_err() message. Signed-off-by: Bruno E. O. Meneguele --- kernel/sched/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index bd8b6d6f5387..f87de3259b95 100644

[PATCH] Char: tpm: fixed white spaces and braces coding style issues

Fixed some coding style issues. Signed-off-by: Bruno E O Meneguele --- drivers/char/tpm/tpm.h | 10 +- drivers/char/tpm/tpm_i2c_stm_st33.c | 10 ++ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index