lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200105011246.GA5936@blofly.tw.rdlabs.hpecorp.net>
Date:   Sun, 5 Jan 2020 09:12:46 +0800
From:   Clay Chang <clayc@....com>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-integrity@...r.kernel.org, dmitry.kasatkin@...il.com,
        jmorris@...ei.org, serge@...lyn.com
Subject: Re: [PATCH] ima: Add a space after printing a LSM rule for
 readability

On Fri, Jan 03, 2020 at 12:11:27PM -0500, Mimi Zohar wrote:
> On Fri, 2020-01-03 at 15:51 +0800, clayc@....com wrote:
> > From: Clay Chang <clayc@....com>
> 
> Normally this "From" line is only seen when the sender isn't the patch
> author.  Any ideas what happened? 
>

Hi Mimi,

Apparently I should not use "--from" in git-send-email command.

> > 
> > When reading ima_policy from securityfs, there is a missing
> > space between output string of LSM rules.
> > 
> > Signed-off-by: Clay Chang <clayc@....com>
> 
> Good catch!  IMA policy rules based on LSM labels are used to
> constrain which files are in policy.  Normally a single LSM label is
> enough (e.g. dont_measure obj_type=auditd_log_t).  Could you include
> in this patch description a use case where multiple LSM labels are
> needed?
> 

Apology for not expressed my intention clearly. The intention of this
patch is to add a space after printing LSM rules (if any) and the
remaining rules.

Currently, if I have a policy, for example:
appraise func=BPRM_CHECK obj_type=shell_exec_t appraise_type=imasig

The read back result is:
appraise func=BPRM_CHECK obj_type=shell_exec_tappraise_type=imasig

which is not correct.

I do not have a case for multiple LSM labels, but if there is one
such case, this patch will also apply.

I will post a v2 patch with tuned description.

Thanks,
Clay

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ