search for: inode_init_security

...03-23 at 20:09 -0400, Paul Moore wrote: > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > <roberto.sassu at huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > metadata. > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > blob rese...

...Moore wrote: > > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > > <roberto.sassu at huaweicloud.com> wrote: > > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > > metadata. > > > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > &gt...

...wrote: > On Thu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > metadata. > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > blob reservation mechanism. Introd...

...patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs to have visibility of all xattrs and not only the one that the LSM infrastructure passes to the LSM to be set. The solution is to replace in the inode_init_security definition the name/value/len parameters with the beginning...

On Tue, Mar 28, 2023 at 3:47?AM Roberto Sassu <roberto.sassu at huaweicloud.com> wrote: > > On Mon, 2023-03-27 at 17:02 -0400, Paul Moore wrote: > > On Mon, Mar 27, 2023 at 3:30?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > On Fri, 2023-03-24 at 17:39 -0400, Paul Moore wrote: > > > > On Fri, Mar 24, 2023 at 9:26?AM Roberto

...patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs to have visibility of all xattrs and not only the one that the LSM infrastructure passes to the LSM to be set. The solution is to replace in the inode_init_security definition the name/value/len parameters with the beginning...

On Mon, Mar 06, 2023 at 05:58:30PM +0100, Roberto Sassu wrote: > If there is no hook registering to inode_init_security, theoretically > the LSM infrastructure should return -EOPNOTSUPP, which causes ocfs2 to > set si->enable to zero, and not execute the line that causes the kernel > to panic. > > The problem would arise if somehow the LSM infrastructure returns zero, > without setting the xatt...

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com> --- include/linux/security.h |...

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at schaufler-ca.com> Reviewed-by: Mimi Zohar <zoh...