lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Feb 2024 16:21:45 -0500
From: Paul Moore <paul@...l-moore.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@...weicloud.com>, viro@...iv.linux.org.uk, 
	brauner@...nel.org, chuck.lever@...cle.com, jlayton@...nel.org, neilb@...e.de, 
	kolga@...app.com, Dai.Ngo@...cle.com, tom@...pey.com, jmorris@...ei.org, 
	serge@...lyn.com, dmitry.kasatkin@...il.com, eric.snowberg@...cle.com, 
	dhowells@...hat.com, jarkko@...nel.org, stephen.smalley.work@...il.com, 
	eparis@...isplace.org, casey@...aufler-ca.com, shuah@...nel.org, 
	mic@...ikod.net, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	linux-nfs@...r.kernel.org, linux-security-module@...r.kernel.org, 
	linux-integrity@...r.kernel.org, keyrings@...r.kernel.org, 
	selinux@...r.kernel.org, linux-kselftest@...r.kernel.org, 
	Roberto Sassu <roberto.sassu@...wei.com>, Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v9 12/25] security: Introduce file_post_open hook

On Wed, Feb 14, 2024 at 3:07 PM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> On Tue, 2024-02-13 at 10:33 -0500, Paul Moore wrote:
> > On Tue, Feb 13, 2024 at 7:59 AM Roberto Sassu
> > <roberto.sassu@...weicloud.com> wrote:
> > > On Mon, 2024-02-12 at 16:16 -0500, Paul Moore wrote:
> > > > On Mon, Feb 12, 2024 at 4:06 PM Mimi Zohar <zohar@...ux.ibmcom> wrote:
> > > > > Hi Roberto,
> > > > >
> > > > >
> > > > > > diff --git a/security/security.c b/security/security.c
> > > > > > index d9d2636104db..f3d92bffd02f 100644
> > > > > > --- a/security/security.c
> > > > > > +++ b/security/security.c
> > > > > > @@ -2972,6 +2972,23 @@ int security_file_open(struct file *file)
> > > > > >       return fsnotify_perm(file, MAY_OPEN);  <===  Conflict
> > > > >
> > > > > Replace with "return fsnotify_open_perm(file);"
> > > > >
> > > > > >  }
> > > > > >
> > > > >
> > > > > The patch set doesn't apply cleaning to 6.8-rcX without this
> > > > > change.  Unless
> > > > > there are other issues, I can make the change.
> > > >
> > > > I take it this means you want to pull this via the IMA/EVM tree?
> > >
> > > Not sure about that, but I have enough changes to do to make a v10.
>
> @Roberto:  please add my "Reviewed-by" to the remaining patches.
>
> >
> > Sorry, I should have been more clear, the point I was trying to
> > resolve was who was going to take this patchset (eventually).  There
> > are other patches destined for the LSM tree that touch the LSM hooks
> > in a way which will cause conflicts with this patchset, and if
> > you/Mimi are going to take this via the IMA/EVM tree - which is fine
> > with me - I need to take that into account when merging things in the
> > LSM tree during this cycle.  It's not a big deal either way, it would
> > just be nice to get an answer on that within the next week.
>
> Similarly there are other changes for IMA and EVM.  If you're willing to create
> a topic branch for just the v10 patch set that can be merged into your tree and
> into my tree, I'm fine with your upstreaming v10. (I'll wait to send my pull
> request after yours.)  Roberto will add my Ack's to the integrity, IMA, and EVM
> related patches.  However if you're not willing to create a topic branch, I'll
> upstream the v10 patch set.

I'm not a big fan of sharing topic branches across different subsystem
trees, I'd much rather just agree that one tree or another takes the
patchset and the others plan accordingly.  Based on our previous
discussions I was under the impression that you wanted me to merge
this patchset into lsm/dev, but it looks like that is no longer the
case - which is okay by me.

Assuming Roberto gets a v10 out soon, do you expect to merge the v10
patchset and send it up during the upcoming merge window (for v6.9),
or are you expecting to wait until after the upcoming merge window
closes and target v6.10?  Once again, either is fine, I'm just trying
to coordinate this with other patches.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ