Re: [PATCH RFC] Alternative 64-bit capability patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: Quoting Andrew Morgan ([EMAIL PROTECTED]): Serge, Here is a more fully formed 64-bit capabilities patch than the one I sent you last week. Its still subject to a bunch of testing. [The patch is against Linus'

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

On Nov 1 2007 12:51, Peter Dolding wrote: This is above me doing code. No matter how many fixes I do to the core that will not fix dysfunction in the LSM section. Strict policies on fixing the main security model will be required. If there is no one wanting to fix the existing code, then the

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

Jan Engelhardt wrote: On Nov 1 2007 12:51, Peter Dolding wrote: This is above me doing code. No matter how many fixes I do to the core that will not fix dysfunction in the LSM section. Strict policies on fixing the main security model will be required. If there is no one wanting to

Re: [PATCH] file capabilities: allow sigcont within session (v2)

On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote: From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Wed, 31 Oct 2007 11:22:04 -0500 Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2) (This is a

Re: [PATCH] file capabilities: allow sigcont within session (v2)

Quoting Stephen Smalley ([EMAIL PROTECTED]): On Wed, 2007-10-31 at 18:49 -0500, Serge E. Hallyn wrote: From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Wed, 31 Oct 2007 11:22:04 -0500 Subject: [PATCH 1/1] file

[PATCH 0/2] getsecurity/vfs_getxattr cleanup V2

This patch series addresses two concerns. Currently when a developer wishes to obtain a security blob from the LSM he/she has to guess at the length of the blob being returned. We modify security_inode_getsecurity to return an appropriately sized buffer populated with the security information and

[PATCH 2/2] VFS: Reorder vfs_getxattr to avoid unnecessary calls to the LSM

Originally vfs_getxattr would pull the security xattr variable using the inode getxattr handle and then proceed to clobber it with a subsequent call to the LSM. This patch reorders the two operations such that when the xattr requested is in the security namespace it first attempts to grab the

RE: Possible missing security checks in usbfs?

Thank you so much for the response. :) I think a malicious driver (in kernel space) can still call these functions to create a device node, which is dangerous. If this is not possible, then there is no security hole. If that is possible, then the question is if LSM can help -- if the SELinux

[PATCH] Smackv9: Use a stateful parser for parsing Smack rules

Hi Casey/Al/all, A patch that utilizes Al Viro's concerns on previous smack parser and solves pevious parser bugs discovered by Ahmed Darwish. By now, no problem will occur if given smack rules are fragmented over multiple write() calls. CC: Al Viro [EMAIL PROTECTED] Signed-off-by: Ahmed S.

RE: Possible missing security checks in usbfs?

I agree. You are right. Lin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg KH Sent: Thursday, November 01, 2007 10:52 AM To: Tan, Lin Cc: linux-security-module@vger.kernel.org Subject: Re: Possible missing security checks in usbfs? On Thu, Nov 01,

Re: [PATCH] Smackv9: Use a stateful parser for parsing Smack rules

On Nov 1 2007 17:54, Ahmed S. Darwish wrote: + +static inline int isblank(char c) +{ + return (c == ' ' || c == '\t'); +} Use isspace(). + for (i = 0; i count data[i]; i ++) ... + subjectstr[(*label_len) ++] = data[i]; i++ w/o space - To unsubscribe from this

Re: [PATCH] 2.6.23: Filesystem capabilities 0.17

Serge E. Hallyn [EMAIL PROTECTED] writes: Quoting Olaf Dietsche ([EMAIL PROTECTED]): This patch implements filesystem capabilities. It allows to run privileged executables without the need for suid root. Changes: - updated to 2.6.23 - fix const correctness - fix secureexec [...] given

Re: [PATCH 1/2] VFS/Security: Rework inode_getsecurity and callers to return resulting buffer

On Thu, 1 Nov 2007, David P. Quigley wrote: This patch modifies the interface to inode_getsecurity to have the function return a buffer containing the security blob and its length via parameters instead of relying on the calling function to give it an appropriately sized buffer. Security

Re: [PATCH 1/2] VFS/Security: Rework inode_getsecurity and callers to return resulting buffer

Quoting David P. Quigley ([EMAIL PROTECTED]): This patch modifies the interface to inode_getsecurity to have the function return a buffer containing the security blob and its length via parameters instead of relying on the calling function to give it an appropriately sized buffer. Security

Re: [PATCH 2/2] VFS: Reorder vfs_getxattr to avoid unnecessary calls to the LSM

Quoting David P. Quigley ([EMAIL PROTECTED]): Originally vfs_getxattr would pull the security xattr variable using the inode getxattr handle and then proceed to clobber it with a subsequent call to the LSM. This patch reorders the two operations such that when the xattr requested is in the

Re: [PATCH] file capabilities: allow sigcont within session (v2)

On Thu, Nov 01, 2007 at 08:47:01AM -0500, Serge E. Hallyn wrote: From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Wed, 31 Oct 2007 11:22:04 -0500 Subject: [PATCH 1/1] file capabilities: allow sigcont within session