Displaying 6 results from an estimated 6 matches for "evm_inode_init_secur".
2023 Mar 14
7
[PATCH v8 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes
...attr array each time
after an LSM executed its implementation of the inode_init_security hook.
It needs to be done after each LSM, and not after all, since there might be
LSMs scanning that xattr array too. Compacting the array after all LSMs
would be too late.
Finally, this patch set modifies the evm_inode_init_security() definition
to be compatible with the inode_init_security hook definition and adds
support for scanning the whole xattr array and for calculating the HMAC
on all xattrs provided by LSMs.
This patch set has been tested by introducing several instances of a
TestLSM (some providing an xattr, some...
2022 Dec 01
8
[PATCH v7 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes
...attr array each time
after an LSM executed its implementation of the inode_init_security hook.
It needs to be done after each LSM, and not after all, since there might be
LSMs scanning that xattr array too. Compacting the array after all LSMs
would be too late.
Finally, this patch set modifies the evm_inode_init_security() definition
to be compatible with the inode_init_security hook definition and adds
support for scanning the whole xattr array and for calculating the HMAC
on all xattrs provided by LSMs.
This patch set has been tested by introducing several instances of a
TestLSM (some providing an xattr, some...
2023 Feb 19
1
[PATCH v7 6/6] evm: Support multiple LSMs providing an xattr
On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Currently, evm_inode_init_security() processes a single LSM xattr from
> the array passed by security_inode_init_security(), and calculates the
> HMAC on it and other inode metadata.
>
> Given that initxattrs() callbacks, called by
> security_inode_init_security(), expect that this array is terminated when
> th...
2023 Mar 24
1
[PATCH v8 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook
...eems more invasive, compared to a simple move
> > > > of few array elements.
> > > >
> > > > security_check_compact_filled_xattrs() also determines how many xattrs in
> > > > the xattr array have been filled. If there is none, skip
> > > > evm_inode_init_security() and initxattrs(). Skipping the former also avoids
> > > > EVM to crash the kernel, as it is expecting a filled xattr.
> > > >
> > > > Finally, adapt both SELinux and Smack to use the new definition of the
> > > > inode_init_security hook, and to...
2023 Mar 27
1
[PATCH v8 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook
...ed to a simple move
> > > > > of few array elements.
> > > > >
> > > > > security_check_compact_filled_xattrs() also determines how many xattrs in
> > > > > the xattr array have been filled. If there is none, skip
> > > > > evm_inode_init_security() and initxattrs(). Skipping the former also avoids
> > > > > EVM to crash the kernel, as it is expecting a filled xattr.
> > > > >
> > > > > Finally, adapt both SELinux and Smack to use the new definition of the
> > > > > inode_init_s...
2023 Mar 24
1
[PATCH v8 4/6] security: Allow all LSMs to provide xattrs for inode_init_security hook
...mination. However, this seems more invasive, compared to a simple move
> > > of few array elements.
> > >
> > > security_check_compact_filled_xattrs() also determines how many xattrs in
> > > the xattr array have been filled. If there is none, skip
> > > evm_inode_init_security() and initxattrs(). Skipping the former also avoids
> > > EVM to crash the kernel, as it is expecting a filled xattr.
> > >
> > > Finally, adapt both SELinux and Smack to use the new definition of the
> > > inode_init_security hook, and to correctly fill the d...