Re: [PATCH 00/14] EVM

[Randy Dunlap]

On Wed, 21 Apr 2010 17:49:40 -0400 Mimi Zohar wrote:

> Extended Verification Module(EVM) detects offline tampering of the
> security extended attributes (e.g. security.selinux, security.SMACK64,
> security.ima), which is the basis for LSM permission decisions and,
> with this set of patches, integrity appraisal decisions. To detect
> offline tampering of the extended attributes, EVM maintains an
> HMAC-sha1 across a set of security extended attributes, storing the
> HMAC as the extended attribute 'security.evm'. To verify the integrity
> of an extended attribute, EVM exports evm_verifyxattr(), which
> re-calculates the HMAC and compares it with the version stored in
> 'security.evm'.
> 
...
> 
> Much appreciation to Dave Hansen, Serge Hallyn, and Matt Helsley for
> reviewing the patches.
> 
> Mimi
> 
> Mimi Zohar (14):
>   integrity: move ima inode integrity data management
>   security: move LSM xattrnames to xattr.h
>   xattr: define vfs_getxattr_alloc and vfs_xattr_cmp
>   evm: re-release
>   ima: move ima_file_free before releasing the file
>   security: imbed evm calls in security hooks
>   evm: inode post removexattr
>   evm: imbed evm_inode_post_setattr
>   evm: inode_post_init
>   fs: add evm_inode_post_init calls
>   ima: integrity appraisal extension
>   ima: appraise default rules
>   ima: inode post_setattr
>   ima: add ima_inode_setxattr and ima_inode_removexattr
> --

A summary diffstat would be good to see in patch 00/14.

Lacking that, at least each individual patch should have a diffstat summary
in it.  Please read Documentation/SubmittingPatches.

---
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/