On Tue, 2015-10-27 at 00:03 +0200, Petko Manolov wrote:
> On 15-10-26 22:39:28, Dmitry Kasatkin wrote:
> > Can you please still explain when multiple policy writers can content? I
> > 100%
> > understand the role of mutex
>
> Ignore the high level requirements for the moment. Every time yo
On 15-10-26 22:39:28, Dmitry Kasatkin wrote:
>
> We had some discussion with Mimi and could not come to conclusion..
No problems there: truth springs from argument amongst friends.
> Can you please still explain when multiple policy writers can content? I 100%
> understand the role of mutex
When fetching inode's security label, check if they are still valid, and try
reloading invalid labels. Reloading will fail when we are in RCU context which
doesn't allow sleeping, or when we can't find a dentry for the inode.
(Reloading happens via iop->getxattr which takes a dentry parameter.)
S
In dentry_has_perm, path_has_perm, and file_has_perm, push the dentry down
to before avc_has_perm so that dentry_security can be used instead of
inode_security. Since inode_has_perm now takes a dentry, rename it to
__dentry_has_perm.
Signed-off-by: Andreas Gruenbacher
---
security/selinux/hooks
When gfs2 releases the glock of an inode, it must invalidate all
information cached for that inode, including the page cache and acls. Use
the new security_inode_invalidate_secctx hook to also invalidate security
labels in that case. These items will be reread from disk when needed
after reacquir
Signed-off-by: Andreas Gruenbacher
---
security/selinux/hooks.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e4369d8..fc8f626 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2756,13 +2756,11 @@ static int s
Use path_has_perm directly instead.
Signed-off-by: Andreas Gruenbacher
---
security/selinux/hooks.c | 18 +++---
1 file changed, 3 insertions(+), 15 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 65e8689..d6b4dc9 100644
--- a/security/selinux/hoo
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.
Signed-off-by: Andreas Gruenbacher
---
security/selinux/hooks.c | 101
Add a hook to invalidate an inode's security label when the cached
information becomes invalid.
Implement the new hook in selinux: set a flag when a security label becomes
invalid. When hitting a security label which has been marked as invalid in
inode_has_perm, try reloading the label.
If an in
Here is another version of the patch queue to make gfs2 and similar file
systems work with SELinux. As suggested by Stephen Smalley [*], the relevant
uses of inode->security are wrapped in function calls that try to revalidate
invalid labels.
[*] http://marc.info/?l=linux-kernel&m=1444167102076
On Sat, Oct 24, 2015 at 5:04 PM, Dmitry Kasatkin
wrote:
> On Sat, Oct 24, 2015 at 3:28 PM, Petko Manolov wrote:
>> On 15-10-23 20:13:41, Dmitry Kasatkin wrote:
>>> On Fri, Oct 23, 2015 at 3:29 PM, Petko Manolov wrote:
>>> >
>>> > I was actually going to get rid of IMA_FS_BUSY. It is less flexib
Hi,
Updated in the patch.
http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next
Dmitry
On Fri, Oct 23, 2015 at 9:30 PM, Mimi Zohar wrote:
> On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
>> Crypto HW kernel module can possibly initialize EVM key from
Hi,
I added error printing to the patch
http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next
Dmitry
On Fri, Oct 23, 2015 at 9:31 PM, Mimi Zohar wrote:
> On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
>> In order to enable EVM before starting 'init'
On Mon, 2015-10-26 at 16:01 +0200, Petko Manolov wrote:
> On 15-10-25 07:50:32, Mimi Zohar wrote:
> > On Sat, 2015-10-24 at 17:06 +0300, Dmitry Kasatkin wrote:
> >
> > > > @@ -171,9 +172,8 @@ static int __init
> > > > default_appraise_policy_setup(char *str)
> > > > __setup("ima_appraise_tcb", d
On 15-10-25 07:50:32, Mimi Zohar wrote:
> On Sat, 2015-10-24 at 17:06 +0300, Dmitry Kasatkin wrote:
>
> > > @@ -171,9 +172,8 @@ static int __init default_appraise_policy_setup(char
> > > *str)
> > > __setup("ima_appraise_tcb", default_appraise_policy_setup);
> > >
> > > /*
> > > - * Although th
On Sat, 2015-10-24 at 17:04 +0300, Dmitry Kasatkin wrote:
> On Sat, Oct 24, 2015 at 3:28 PM, Petko Manolov wrote:
> > On 15-10-23 20:13:41, Dmitry Kasatkin wrote:
> >> On Fri, Oct 23, 2015 at 3:29 PM, Petko Manolov wrote:
> >> >
> >> > I was actually going to get rid of IMA_FS_BUSY. It is less f
16 matches
Mail list logo