Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On Tue, 2015-10-27 at 00:03 +0200, Petko Manolov wrote: > On 15-10-26 22:39:28, Dmitry Kasatkin wrote: > > Can you please still explain when multiple policy writers can content? I > > 100% > > understand the role of mutex > > Ignore the high level requirements for the moment. Every time yo

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On 15-10-26 22:39:28, Dmitry Kasatkin wrote: > > We had some discussion with Mimi and could not come to conclusion.. No problems there: truth springs from argument amongst friends. > Can you please still explain when multiple policy writers can content? I 100% > understand the role of mutex

[PATCH v3 6/7] selinux: Revalidate invalid inode security labels

When fetching inode's security label, check if they are still valid, and try reloading invalid labels. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.) S

[PATCH v3 4/7] selinux: Push dentry down from {dentry,path,file}_has_perm

In dentry_has_perm, path_has_perm, and file_has_perm, push the dentry down to before avc_has_perm so that dentry_security can be used instead of inode_security. Since inode_has_perm now takes a dentry, rename it to __dentry_has_perm. Signed-off-by: Andreas Gruenbacher --- security/selinux/hooks

[PATCH v3 7/7] gfs2: Invalide security labels of inodes when they go invalid

When gfs2 releases the glock of an inode, it must invalidate all information cached for that inode, including the page cache and acls. Use the new security_inode_invalidate_secctx hook to also invalidate security labels in that case. These items will be reread from disk when needed after reacquir

[PATCH v3 1/7] selinux: Remove unused variable in selinux_inode_init_security

Signed-off-by: Andreas Gruenbacher --- security/selinux/hooks.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e4369d8..fc8f626 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2756,13 +2756,11 @@ static int s

[PATCH v3 3/7] selinux: Get rid of file_path_has_perm

Use path_has_perm directly instead. Signed-off-by: Andreas Gruenbacher --- security/selinux/hooks.c | 18 +++--- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 65e8689..d6b4dc9 100644 --- a/security/selinux/hoo

[PATCH v3 2/7] selinux: Add accessor functions for inode->i_security

Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by: Andreas Gruenbacher --- security/selinux/hooks.c | 101

[PATCH v3 5/7] security: Add hook to invalidate inode security labels

Add a hook to invalidate an inode's security label when the cached information becomes invalid. Implement the new hook in selinux: set a flag when a security label becomes invalid. When hitting a security label which has been marked as invalid in inode_has_perm, try reloading the label. If an in

[PATCH v3 0/7] Inode security label invalidation

Here is another version of the patch queue to make gfs2 and similar file systems work with SELinux. As suggested by Stephen Smalley [*], the relevant uses of inode->security are wrapped in function calls that try to revalidate invalid labels. [*] http://marc.info/?l=linux-kernel&m=1444167102076

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On Sat, Oct 24, 2015 at 5:04 PM, Dmitry Kasatkin wrote: > On Sat, Oct 24, 2015 at 3:28 PM, Petko Manolov wrote: >> On 15-10-23 20:13:41, Dmitry Kasatkin wrote: >>> On Fri, Oct 23, 2015 at 3:29 PM, Petko Manolov wrote: >>> > >>> > I was actually going to get rid of IMA_FS_BUSY. It is less flexib

Re: [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel

Hi, Updated in the patch. http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:30 PM, Mimi Zohar wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> Crypto HW kernel module can possibly initialize EVM key from

Re: [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded

Hi, I added error printing to the patch http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next Dmitry On Fri, Oct 23, 2015 at 9:31 PM, Mimi Zohar wrote: > On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote: >> In order to enable EVM before starting 'init'

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On Mon, 2015-10-26 at 16:01 +0200, Petko Manolov wrote: > On 15-10-25 07:50:32, Mimi Zohar wrote: > > On Sat, 2015-10-24 at 17:06 +0300, Dmitry Kasatkin wrote: > > > > > > @@ -171,9 +172,8 @@ static int __init > > > > default_appraise_policy_setup(char *str) > > > > __setup("ima_appraise_tcb", d

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On 15-10-25 07:50:32, Mimi Zohar wrote: > On Sat, 2015-10-24 at 17:06 +0300, Dmitry Kasatkin wrote: > > > > @@ -171,9 +172,8 @@ static int __init default_appraise_policy_setup(char > > > *str) > > > __setup("ima_appraise_tcb", default_appraise_policy_setup); > > > > > > /* > > > - * Although th

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

On Sat, 2015-10-24 at 17:04 +0300, Dmitry Kasatkin wrote: > On Sat, Oct 24, 2015 at 3:28 PM, Petko Manolov wrote: > > On 15-10-23 20:13:41, Dmitry Kasatkin wrote: > >> On Fri, Oct 23, 2015 at 3:29 PM, Petko Manolov wrote: > >> > > >> > I was actually going to get rid of IMA_FS_BUSY. It is less f