lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 21 Apr 2010 18:41:28 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Randy Dunlap <randy.dunlap@...cle.com>
Cc:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	James Morris <jmorris@...ei.org>,
	David Safford <safford@...son.ibm.com>,
	Dave Hansen <dave@...ux.vnet.ibm.com>
Subject: Re: [PATCH 00/14] EVM

On Wed, 2010-04-21 at 15:23 -0700, Randy Dunlap wrote:
> On 04/21/10 15:18, Mimi Zohar wrote:
> > On Wed, 2010-04-21 at 14:58 -0700, Randy Dunlap wrote:
> >> On Wed, 21 Apr 2010 17:49:40 -0400 Mimi Zohar wrote:
> >>
> >>> Extended Verification Module(EVM) detects offline tampering of the
> >>> security extended attributes (e.g. security.selinux, security.SMACK64,
> >>> security.ima), which is the basis for LSM permission decisions and,
> >>> with this set of patches, integrity appraisal decisions. To detect
> >>> offline tampering of the extended attributes, EVM maintains an
> >>> HMAC-sha1 across a set of security extended attributes, storing the
> >>> HMAC as the extended attribute 'security.evm'. To verify the integrity
> >>> of an extended attribute, EVM exports evm_verifyxattr(), which
> >>> re-calculates the HMAC and compares it with the version stored in
> >>> 'security.evm'.
> >>>
> >> ...
> >>>
> >>> Much appreciation to Dave Hansen, Serge Hallyn, and Matt Helsley for
> >>> reviewing the patches.
> >>>
> >>> Mimi
> >>>
> >>> Mimi Zohar (14):
> >>>   integrity: move ima inode integrity data management
> >>>   security: move LSM xattrnames to xattr.h
> >>>   xattr: define vfs_getxattr_alloc and vfs_xattr_cmp
> >>>   evm: re-release
> >>>   ima: move ima_file_free before releasing the file
> >>>   security: imbed evm calls in security hooks
> >>>   evm: inode post removexattr
> >>>   evm: imbed evm_inode_post_setattr
> >>>   evm: inode_post_init
> >>>   fs: add evm_inode_post_init calls
> >>>   ima: integrity appraisal extension
> >>>   ima: appraise default rules
> >>>   ima: inode post_setattr
> >>>   ima: add ima_inode_setxattr and ima_inode_removexattr
> >>> --
> >>
> >> A summary diffstat would be good to see in patch 00/14.
> >>
> >> Lacking that, at least each individual patch should have a diffstat summary
> >> in it.  Please read Documentation/SubmittingPatches.
> >>
> >> ---
> >> ~Randy
> >

Documentation/kernel-parameters.txt   |    4 +
 fs/attr.c                             |    7 +-
 fs/ext2/xattr_security.c              |   31 +++-
 fs/ext3/xattr_security.c              |   30 +++-
 fs/ext4/xattr_security.c              |   30 +++-
 fs/file_table.c                       |    2 +-
 fs/xattr.c                            |   63 ++++++-
 include/linux/capability.h            |    3 -
 include/linux/evm.h                   |   80 ++++++++
 include/linux/ima.h                   |   27 ++-
 include/linux/integrity.h             |   35 ++++
 include/linux/xattr.h                 |   27 +++-
 security/Kconfig                      |    2 +-
 security/Makefile                     |    4 +-
 security/integrity/Kconfig            |    7 +
 security/integrity/Makefile           |   12 ++
 security/integrity/evm/Kconfig        |   13 ++
 security/integrity/evm/Makefile       |    7 +
 security/integrity/evm/evm.h          |   38 ++++
 security/integrity/evm/evm_crypto.c   |  198 +++++++++++++++++++
 security/integrity/evm/evm_main.c     |  335 +++++++++++++++++++++++++++++++++
 security/integrity/evm/evm_secfs.c    |  108 +++++++++++
 security/integrity/iint.c             |  153 +++++++++++++++
 security/integrity/ima/Kconfig        |   15 ++
 security/integrity/ima/Makefile       |    4 +-
 security/integrity/ima/ima.h          |   76 +++++---
 security/integrity/ima/ima_api.c      |   61 +++++--
 security/integrity/ima/ima_appraise.c |  152 +++++++++++++++
 security/integrity/ima/ima_iint.c     |  145 --------------
 security/integrity/ima/ima_main.c     |  123 ++++++++++---
 security/integrity/ima/ima_policy.c   |   61 ++++++-
 security/integrity/integrity.h        |   50 +++++
 security/security.c                   |   27 +++-
 security/selinux/hooks.c              |    3 -
 security/smack/smack.h                |    2 -
 35 files changed, 1671 insertions(+), 264 deletions(-)
 create mode 100644 include/linux/evm.h
 create mode 100644 include/linux/integrity.h
 create mode 100644 security/integrity/Kconfig
 create mode 100644 security/integrity/Makefile
 create mode 100644 security/integrity/evm/Kconfig
 create mode 100644 security/integrity/evm/Makefile
 create mode 100644 security/integrity/evm/evm.h
 create mode 100644 security/integrity/evm/evm_crypto.c
 create mode 100644 security/integrity/evm/evm_main.c
 create mode 100644 security/integrity/evm/evm_secfs.c
 create mode 100644 security/integrity/iint.c
 create mode 100644 security/integrity/ima/ima_appraise.c
 delete mode 100644 security/integrity/ima/ima_iint.c
 create mode 100644 security/integrity/integrity.h

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ