diff for duplicates of <1509385936.3583.170.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 7ecb21b..8ec730c 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,18 +1,18 @@ -[Corrected Matthew Garrett's email address. Cc'ed Bruno Meneguele] +[Corrected Matthew Garrett's email address. ?Cc'ed Bruno Meneguele] On Mon, 2017-10-30 at 17:00 +0000, David Howells wrote: > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > This kernel_is_locked_down() check is being called for both the -> > original and new module_load syscalls. We need to be able -> > differentiate them. This is fine for the original syscall, but for +> > original and new module_load syscalls. ?We need to be able +> > differentiate them. ?This is fine for the original syscall, but for > > the new syscall we would need an additional IMA check - > > !is_ima_appraise_enabled(). > > IMA can only be used with finit_module()? Yes, without the file descriptor, IMA-appraisal can't access the -xattrs. +xattrs.? You should really look at Bruno's patches, which are in my next branch: @@ -23,3 +23,8 @@ branch: Can we get an Ack on the module one? Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 1a4fb88..971af4a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,35 +2,27 @@ "ref\0150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk\0" "ref\0150842465546.7923.6762214527898273559.stgit@warthog.procyon.org.uk\0" "ref\03565.1509382834@warthog.procyon.org.uk\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 03/27] Enforce module signatures if the kernel is locked down\0" "Date\0Mon, 30 Oct 2017 13:52:16 -0400\0" - "To\0David Howells <dhowells@redhat.com>\0" - "Cc\0linux-security-module@vger.kernel.org" - gnomes@lxorguk.ukuu.org.uk - linux-efi@vger.kernel.org - gregkh@linuxfoundation.org - linux-kernel@vger.kernel.org - jforbes@redhat.com - Matthew Garrett <mjg59@google.com> - " Bruno E. O. Meneguele <brdeoliv@redhat.com>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" - "[Corrected Matthew Garrett's email address. \302\240Cc'ed Bruno Meneguele]\n" + "[Corrected Matthew Garrett's email address. ?Cc'ed Bruno Meneguele]\n" "\n" "On Mon, 2017-10-30 at 17:00 +0000, David Howells wrote:\n" "> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:\n" "> \n" "> > This kernel_is_locked_down() check is being called for both the\n" - "> > original and new module_load syscalls. \302\240We need to be able\n" - "> > differentiate them. \302\240This is fine for the original syscall, but for\n" + "> > original and new module_load syscalls. ?We need to be able\n" + "> > differentiate them. ?This is fine for the original syscall, but for\n" "> > the new syscall we would need an additional IMA check -\n" "> > !is_ima_appraise_enabled().\n" "> \n" "> IMA can only be used with finit_module()?\n" "\n" "Yes, without the file descriptor, IMA-appraisal can't access the\n" - "xattrs.\302\240\n" + "xattrs.?\n" "\n" "You should really look at Bruno's patches, which are in my next\n" "branch:\n" @@ -40,6 +32,11 @@ "\n" "Can we get an Ack on the module one?\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -76676c4071a02f5d26a5ca38fd0bc229ba51be3bbd139bc807c3b0355de69bee +e339f91fda1176b2895e4b8e9aa19724ce59409453bea1d7bc223d8c1396c03d
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.