Re: [PATCH 11/11] evm: Don't update hmacs in user ns mounts

From: Mimi Zohar
Date: Sun Dec 24 2017 - 00:56:17 EST

Next message: Alexandru Chirvasitu: "Re: PROBLEM: consolidated IDT invalidation causes kexec to reboot"
Previous message: Tan Xiaojun: "[PATCH 11/12] staging: remove the default io_mem_pfn set"
In reply to: Mimi Zohar: "Re: [PATCH 11/11] evm: Don't update hmacs in user ns mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2017-12-24 at 00:12 -0500, Mimi Zohar wrote:
> Hi Serge,
>
> On Fri, 2017-12-22 at 22:03 -0600, Serge E. Hallyn wrote:
> > On Fri, Dec 22, 2017 at 03:32:35PM +0100, Dongsu Park wrote:
> > > From: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>
> > >
> > > The kernel should not calculate new hmacs for mounts done by
> > > non-root users. Update evm_calc_hmac_or_hash() to refuse to
> > > calculate new hmacs for mounts for non-init user namespaces.
> > >
> > > Cc: linux-integrity@xxxxxxxxxxxxxxx
> > > Cc: linux-security-module@xxxxxxxxxxxxxxx
> > > Cc: linux-kernel@xxxxxxxxxxxxxxx
> > > Cc: James Morris <james.l.morris@xxxxxxxxxx>
> > > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> >
> > Hi Mimi,
> >
> > does this change seem sufficient to you?
>
> I think this is the correct behavior in the context of fuse file
> systems. ÂThis patch, the "ima: define a new policy option named
> force" patch, and an updated IMA policy should be upstreamed together.
> ÂThe cover letter should provide the motivation for these patches.

Ah, this patch is being upstreamed with the fuse mounts patches. ÂI
guess Seth is planning on posting the IMA policy changes for fuse
separately.

Mimi

Next message: Alexandru Chirvasitu: "Re: PROBLEM: consolidated IDT invalidation causes kexec to reboot"
Previous message: Tan Xiaojun: "[PATCH 11/12] staging: remove the default io_mem_pfn set"
In reply to: Mimi Zohar: "Re: [PATCH 11/11] evm: Don't update hmacs in user ns mounts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]