On Wed, 2020-05-13 at 07:21 +, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > Sent: Tuesday, May 12, 2020 9:38 PM
> > On Tue, 2020-05-12 at 16:31 +, Roberto Sassu wrote:
> > > > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> >
> > > > > > Each time the EVM
> From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> Sent: Tuesday, May 12, 2020 9:38 PM
> On Tue, 2020-05-12 at 16:31 +, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
>
> > > > > Each time the EVM protected file metadata is updated, the EVM
> HMAC
> > > is
> > > > >
On Tue, 2020-05-12 at 16:31 +, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > > > Each time the EVM protected file metadata is updated, the EVM HMAC
> > is
> > > > updated, assuming the existing EVM HMAC is valid. Userspace should
> > > > not have access to the
> From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> Sent: Tuesday, May 12, 2020 5:50 PM
> On Tue, 2020-05-12 at 15:31 +, Roberto Sassu wrote:
> > > From: owner-linux-security-mod...@vger.kernel.org [mailto:owner-
> linux-
> > > security-mod...@vger.kernel.org] On Behalf Of Mimi Zohar
> > > Sent:
On Tue, 2020-05-12 at 15:31 +, Roberto Sassu wrote:
> > From: owner-linux-security-mod...@vger.kernel.org [mailto:owner-linux-
> > security-mod...@vger.kernel.org] On Behalf Of Mimi Zohar
> > Sent: Tuesday, May 12, 2020 4:17 PM
> > On Tue, 2020-05-12 at 07:54 +, Roberto Sassu wrote:
> > >
> From: owner-linux-security-mod...@vger.kernel.org [mailto:owner-linux-
> security-mod...@vger.kernel.org] On Behalf Of Mimi Zohar
> Sent: Tuesday, May 12, 2020 4:17 PM
> On Tue, 2020-05-12 at 07:54 +, Roberto Sassu wrote:
> > > > > Roberto, EVM is only triggered by IMA, unless you've
On Tue, 2020-05-12 at 07:54 +, Roberto Sassu wrote:
> > > > Roberto, EVM is only triggered by IMA, unless you've modified the
> > > > kernel to do otherwise.
> > >
> > > EVM would deny xattr/attr operations even if IMA is disabled in the
> > > kernel configuration. For example, evm_setxattr()
> From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> Sent: Monday, May 11, 2020 11:37 PM
> On Mon, 2020-05-11 at 14:13 +, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > > Sent: Friday, May 8, 2020 7:08 PM
> > > On Fri, 2020-05-08 at 10:20 +, Roberto Sassu wrote:
On Mon, 2020-05-11 at 14:13 +, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > Sent: Friday, May 8, 2020 7:08 PM
> > On Fri, 2020-05-08 at 10:20 +, Roberto Sassu wrote:
> > > > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > > > On Thu, 2020-05-07 at 16:47
> From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> Sent: Friday, May 8, 2020 7:08 PM
> On Fri, 2020-05-08 at 10:20 +, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > > On Thu, 2020-05-07 at 16:47 +, Roberto Sassu wrote:
>
>
>
> > > > > the file metadata to
On Fri, 2020-05-08 at 10:20 +, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> > On Thu, 2020-05-07 at 16:47 +, Roberto Sassu wrote:
> > > > the file metadata to the file data. The IMA and EVM policies really
> > > > need to be in sync.
> > >
> > > It would be
> From: Mimi Zohar [mailto:zo...@linux.ibm.com]
> On Thu, 2020-05-07 at 16:47 +, Roberto Sassu wrote:
> > > > > On Wed, 2020-05-06 at 15:44 -0400, Mimi Zohar wrote:
> > > > > > Since copying the EVM HMAC or original signature isn't applicable, I
> > > > > > would prefer exploring an EVM
On Thu, 2020-05-07 at 16:47 +, Roberto Sassu wrote:
> > > > On Wed, 2020-05-06 at 15:44 -0400, Mimi Zohar wrote:
> > > > > Since copying the EVM HMAC or original signature isn't applicable, I
> > > > > would prefer exploring an EVM portable and immutable signature only
> > > > > solution.
> >
inux-kernel@vger.kernel.org; Silviu
> > > Vlasceanu
> > > Subject: Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM
> infrastructure
>
> Roberto, please fix your mailer or at least manually remove this sort
> of info from the email.
>
> > >
> &
or...@namei.org; John Johansen
> >
> > Cc: linux-fsde...@vger.kernel.org; linux-integr...@vger.kernel.org; linux-
> > security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Silviu
> > Vlasceanu
> > Subject: Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastr
gr...@vger.kernel.org; linux-
> security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Silviu
> Vlasceanu
> Subject: Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure
>
> On Wed, 2020-05-06 at 15:44 -0400, Mimi Zohar wrote:
> > Since copying the EVM HMAC
On Wed, 2020-05-06 at 15:44 -0400, Mimi Zohar wrote:
> Since copying the EVM HMAC or original signature isn't applicable, I
> would prefer exploring an EVM portable and immutable signature only
> solution.
To prevent copying the EVM xattr, we added "security.evm" to
/etc/xattr.conf. To support
[Cc: John Johansen]
On Wed, 2020-04-29 at 09:39 +0200, Roberto Sassu wrote:
> EVM is a module for the protection of the integrity of file metadata. It
> protects security-relevant extended attributes, and some file attributes
> such as the UID and the GID. It protects their integrity with an
ux-
> security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Silviu
> Vlasceanu ; Roberto Sassu
>
> Subject: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure
Any thought on this? The implementation can be discussed later.
I just wanted a feedback on the approach, if this i
EVM is a module for the protection of the integrity of file metadata. It
protects security-relevant extended attributes, and some file attributes
such as the UID and the GID. It protects their integrity with an HMAC or
with a signature.
What makes EVM different from other LSMs is that it makes a
20 matches
Mail list logo