| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Mar 2022 10:07:59 +0000
From: Roberto Sassu <roberto.sassu@...wei.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
CC: "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
"shuah@...nel.org" <shuah@...nel.org>,
"ast@...nel.org" <ast@...nel.org>,
"daniel@...earbox.net" <daniel@...earbox.net>,
"andrii@...nel.org" <andrii@...nel.org>, "yhs@...com" <yhs@...com>,
"kpsingh@...nel.org" <kpsingh@...nel.org>,
"revest@...omium.org" <revest@...omium.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA
> From: Alexei Starovoitov [mailto:alexei.starovoitov@...il.com]
> Sent: Wednesday, March 2, 2022 11:21 PM
> On Wed, Mar 02, 2022 at 12:13:55PM +0100, Roberto Sassu wrote:
> > Extend the interoperability with IMA, to give wider flexibility for the
> > implementation of integrity-focused LSMs based on eBPF.
> >
> > Patch 1 fixes some style issues.
> >
> > Patches 2-6 give the ability to eBPF-based LSMs to take advantage of the
> > measurement capability of IMA without needing to setup a policy in IMA
> > (those LSMs might implement the policy capability themselves).
> >
> > Patches 7-9 allow eBPF-based LSMs to evaluate files read by the kernel.
> >
> > Changelog
> >
> > v2:
> > - Add better description to patch 1 (suggested by Shuah)
> > - Recalculate digest if it is not fresh (when IMA_COLLECTED flag not set)
> > - Move declaration of bpf_ima_file_hash() at the end (suggested by
> > Yonghong)
> > - Add tests to check if the digest has been recalculated
> > - Add deny test for bpf_kernel_read_file()
> > - Add description to tests
> >
> > v1:
> > - Modify ima_file_hash() only and allow the usage of the function with the
> > modified behavior by eBPF-based LSMs through the new function
> > bpf_ima_file_hash() (suggested by Mimi)
> > - Make bpf_lsm_kernel_read_file() sleepable so that bpf_ima_inode_hash()
> > and bpf_ima_file_hash() can be called inside the implementation of
> > eBPF-based LSMs for this hook
> >
> > Roberto Sassu (9):
> > ima: Fix documentation-related warnings in ima_main.c
> > ima: Always return a file measurement in ima_file_hash()
> > bpf-lsm: Introduce new helper bpf_ima_file_hash()
> > selftests/bpf: Move sample generation code to ima_test_common()
> > selftests/bpf: Add test for bpf_ima_file_hash()
> > selftests/bpf: Check if the digest is refreshed after a file write
> > bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable
> > selftests/bpf: Add test for bpf_lsm_kernel_read_file()
> > selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA
> > policy
>
> We have to land this set through bpf-next.
> Please get the Acks for patches 1 and 2, so we can proceed.
Ok. Mimi, do you have time to have a look at those patches?
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
Powered by blists - more mailing lists