| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Aug 2017 15:48:41 -0600
From: Tycho Andersen <tycho@...ker.com>
To: Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>
Cc: ima-devel <linux-ima-devel@...ts.sourceforge.net>,
containers <containers@...ts.linux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Yuqiong Sun <sunyuqiong1988@...il.com>,
David Safford <david.safford@...com>,
Mehmet Kayaalp <mkayaalp@...binghamton.edu>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>
Subject: Re: [RFC PATCH 3/5] ima: mamespace audit status flags
On Tue, Aug 01, 2017 at 01:25:31PM -0400, Mehmet Kayaalp wrote:
> >> +unsigned long iint_flags(struct integrity_iint_cache *iint,
> >> + struct ns_status *status)
> >> +{
> >> + if (!status)
> >> + return iint->flags;
> >> +
> >> + return iint->flags & (status->flags & IMA_NS_STATUS_FLAGS);
> >
> > Just to confirm, is there any situation where:
> >
> > iint->flags & IMA_NS_STATUS_FLAGS != status->flags & IMA_NS_STATUS_FLAGS
> >
> > ? i.e. can this line just be:
> >
> > return status->flags & IMA_NS_STATUS_FLAGS;
> >
>
> As Guilherme had pointed out, the first & should be |.
Sorry, that mail got filtered somehow, thanks. Per your discussion, I
guess the most defensive way is:
iint->flags & ~IMA_NS_STATUS_FLAGS | status->flags & IMA_NS_STATUS_FLAGS
in case something comes along and sets IMA_AUDITED on the root iint,
we don't want it to propagate to this ns' status unnecessarily.
Anyway, thanks!
Tycho
Powered by blists - more mailing lists