lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 15 Sep 2017 06:21:28 +1000 (AEST)
From:   James Morris <jmorris@...ei.org>
To:     Mimi Zohar <zohar@...ux.vnet.ibm.com>
cc:     linux-security-module@...r.kernel.org,
        Christoph Hellwig <hch@....de>,
        linux-ima-devel@...ts.sourceforge.net,
        Christoph Hellwig <hch@...radead.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] integrity: replace call to integrity_read_file with
 kernel version

On Tue, 12 Sep 2017, Mimi Zohar wrote:

> From: Christoph Hellwig <hch@....de>
> 
> The CONFIG_IMA_LOAD_X509 and CONFIG_EVM_LOAD_X509 options permit
> loading x509 signed certificates onto the trusted keyrings without
> verifying the x509 certificate file's signature.
> 
> This patch replaces the call to the integrity_read_file() specific
> function with the common kernel_read_file_from_path() function.
> To avoid verifying the file signature, this patch defines
> READING_X509_CERTFICATE.

So, to be clear, this patch solves the XFS deadlock using a different 
approach (to the now reverted integrity_read approach), which Christoph 
also says is more correct generally.  Correct?

What testing has this had?

Should this go in with the rest of the security changes now or wait until 
either -rc or the next merge window?


-- 
James Morris
<jmorris@...ei.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ