similar to: [PATCH v7 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes

From: Roberto Sassu <roberto.sassu at huawei.com> One of the major goals of LSM stacking is to run multiple LSMs side by side without interfering with each other. The ultimate decision will depend on individual LSM decision. Several changes need to be made to the LSM infrastructure to be able to support that. This patch set tackles one of them: gives to each LSM the ability to specify one

On Fri, Mar 24, 2023 at 9:26?AM Roberto Sassu <roberto.sassu at huaweicloud.com> wrote: > > On Fri, 2023-03-24 at 11:18 +0100, Roberto Sassu wrote: > > On Thu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > <roberto.sassu at huaweicloud.com> wrote: > > > > From: Roberto Sassu

On Fri, 2023-03-24 at 17:39 -0400, Paul Moore wrote: > On Fri, Mar 24, 2023 at 9:26?AM Roberto Sassu > <roberto.sassu at huaweicloud.com> wrote: > > On Fri, 2023-03-24 at 11:18 +0100, Roberto Sassu wrote: > > > On Thu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > > > <roberto.sassu at

On Fri, Mar 24, 2023 at 6:18?AM Roberto Sassu <roberto.sassu at huaweicloud.com> wrote: > On Thu, 2023-03-23 at 20:09 -0400, Paul Moore wrote: > > On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > Currently,

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > In preparation for removing security_old_inode_init_security(), switch to > security_inode_init_security(). > > Extend the existing ocfs2_initxattrs() to take the > ocfs2_security_xattr_info structure from fs_info, and populate the > name/value/len triple

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. As fs_info was not used before, ocfs2_initxattrs() can

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Commit 572302af1258 ("reiserfs: Add missing calls to reiserfs_security_free()") fixed possible memory leaks and another issue related to adding an xattr at inode creation time. Define the initxattrs callback

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > Currently, evm_inode_init_security() processes a single LSM xattr from > the array passed by security_inode_init_security(), and calculates the > HMAC on it and other inode metadata. > > Given that initxattrs() callbacks, called by >

On Tue, Mar 28, 2023 at 3:47?AM Roberto Sassu <roberto.sassu at huaweicloud.com> wrote: > > On Mon, 2023-03-27 at 17:02 -0400, Paul Moore wrote: > > On Mon, Mar 27, 2023 at 3:30?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > On Fri, 2023-03-24 at 17:39 -0400, Paul Moore wrote: > > > > On Fri, Mar 24, 2023 at 9:26?AM Roberto

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at

From: Roberto Sassu <roberto.sassu at huawei.com> As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com> Reviewed-by: Casey Schaufler <casey at

On Tue, 2023-02-21 at 14:45 +0800, Joseph Qi wrote: > Hi, > > Sorry for the late reply. > > I don't have much background on this thread. It seems that we have to > check EOPNOTSUPP since ocfs2_init_security_get() may return EOPNOTSUPP > if it doesn't support extended attribute feature for backward > compatibility. Hi Joseph yes, I already reintroduced the check.

On Thu, Dec 1, 2022 at 5:42?AM Roberto Sassu <roberto.sassu at huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu at huawei.com> > > One of the major goals of LSM stacking is to run multiple LSMs side by side > without interfering with each other. The ultimate decision will depend on > individual LSM decision. > > Several changes need to be made to

After creating the initial LSM security extended attribute, call evm_inode_post_init_security() to create the ''security.evm'' extended attribute. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> --- fs/btrfs/xattr.c | 39 +++++++++++++++++++++++++++++---------- 1 files changed, 29 insertions(+), 10 deletions(-) diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c index

After creating the initial LSM security extended attribute, call evm_inode_post_init_security() to create the ''security.evm'' extended attribute. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> --- fs/btrfs/xattr.c | 39 +++++++++++++++++++++++++++++---------- 1 files changed, 29 insertions(+), 10 deletions(-) diff --git a/fs/btrfs/xattr.c b/fs/btrfs/xattr.c index

The security.evm extended attribute is fully owned by the Linux kernel and cannot be directly written from userspace. Therefore, we can always skip it. --- xattrs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/xattrs.c b/xattrs.c index b105392..3b72e61 100644 --- a/xattrs.c +++ b/xattrs.c @@ -255,6 +255,9 @@ static int rsync_xal_get(const char *fname,

If the system supports selinux, we will return sucessfully from ocfs2_init_security_get if it is called for the mount point. And in that case if the volume doesn't have xattr support, we will not be able to create a new inode in the mount dir because ocfs2_mknod will try to set security attributes for a new created inode. This patch check xattr support in ocfs2_init_security_get, so it will

Hi Dave, The patch below corrects a buffer overflow bug in q_parser.y. Since it is triggered by excessively long query strings, I believe that this bug could be exploited to allow arbitrary code execution if a query string supplied by a user is passed in directly to Ferret and not truncatated. If I''m right, you should consider a new release asap. I''ve fixed it to simply

On Mon, Mar 06, 2023 at 05:58:30PM +0100, Roberto Sassu wrote: > If there is no hook registering to inode_init_security, theoretically > the LSM infrastructure should return -EOPNOTSUPP, which causes ocfs2 to > set si->enable to zero, and not execute the line that causes the kernel > to panic. > > The problem would arise if somehow the LSM infrastructure returns zero, >

Jim, Thank you very much for your suggestions. I managed to get the C55x code working on the simulator. I would like to port Speex both on a C5502 EVM and a C5509A EVM. As such, if you can provide me with the details of your port on the C5509A, it would be greatly appreciated. Furthermore, I am looking for some technical documentation on the CELP algorithms. I would like to better