diff for duplicates of <1517584816.3171.61.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index f0db2b5..16b511c 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -12,27 +12,27 @@ On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote: Both IMA-measurement and IMA-appraisal cache the integrity results and are dependent on the kernel to detect when a file changes in order to -clear the cached info and force the file to be re-evaluated. This -detection was dependent on i_version changing. For filesystems that +clear the cached info and force the file to be re-evaluated.??This +detection was dependent on i_version changing.??For filesystems that do not support i_version, remote or fuse filesystems, where the kernel does not detect the file change, the file was measured and the signature evaluated just once. With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it"), which is being upstreamed in this open window, -i_version is considered an optimization. If i_version is not enabled, +i_version is considered an optimization.??If i_version is not enabled, either because the local filesystem does not support it or the filesystem wasn't mounted with i_version, the file will now always be re-evaluated. That patch does not address FUSE or remote filesystems, as the kernel -does not detect the change. Further, even if the kernel could detect +does not detect the change.??Further, even if the kernel could detect the change, FUSE filesystems by definition are untrusted. The original patches addressed FUSE filesystems, by defining a new IMA policy option, forcing the file to be re-evaluated based on the -filesystem magic number. All of the changes were in the IMA -subsystem. These patches are the result of Christoph's comment on the +filesystem magic number. ?All of the changes were in the IMA +subsystem. ?These patches are the result of Christoph's comment on the original patches saying, "ima has no business looking at either the name _or_ the magic number." @@ -41,10 +41,10 @@ Your help in resolving this problem is much appreciated! Mimi > -> Cc: linux-kernel@vger.kernel.org -> Cc: linux-integrity@vger.kernel.org -> Cc: linux-security-module@vger.kernel.org -> Cc: linux-fsdevel@vger.kernel.org +> Cc: linux-kernel at vger.kernel.org +> Cc: linux-integrity at vger.kernel.org +> Cc: linux-security-module at vger.kernel.org +> Cc: linux-fsdevel at vger.kernel.org > Cc: Miklos Szeredi <miklos@szeredi.hu> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> @@ -85,3 +85,8 @@ Mimi > #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */ > struct dentry *(*mount) (struct file_system_type *, int, > const char *, void *); + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 6b80e63..3baaac8 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,23 +1,9 @@ "ref\0cover.1517314847.git.dongsu@kinvolk.io\0" "ref\086832c6adb256f29f44b6229222b80964fc8cfcc.1517314847.git.dongsu@kinvolk.io\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [RFC PATCH v4 1/2] fuse: introduce new fs_type flag FS_IMA_NO_CACHE\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[RFC PATCH v4 1/2] fuse: introduce new fs_type flag FS_IMA_NO_CACHE\0" "Date\0Fri, 02 Feb 2018 10:20:16 -0500\0" - "To\0Miklos Szeredi <miklos@szeredi.hu>" - " Christoph Hellwig <hch@infradead.org>\0" - "Cc\0linux-integrity@vger.kernel.org" - linux-security-module@vger.kernel.org - linux-fsdevel@vger.kernel.org - Alban Crequy <alban@kinvolk.io> - Miklos Szeredi <mszeredi@redhat.com> - Alexander Viro <viro@zeniv.linux.org.uk> - Dmitry Kasatkin <dmitry.kasatkin@gmail.com> - James Morris <jmorris@namei.org> - Christoph Hellwig <hch@infradead.org> - Serge E . Hallyn <serge@hallyn.com> - Seth Forshee <seth.forshee@canonical.com> - Dongsu Park <dongsu@kinvolk.io> - " linux-kernel@vger.kernel.org\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "Hi Miklos,\n" @@ -34,27 +20,27 @@ "\n" "Both IMA-measurement and IMA-appraisal cache the integrity results and\n" "are dependent on the kernel to detect when a file changes in order to\n" - "clear the cached info and force the file to be re-evaluated. This\n" - "detection was dependent on i_version changing. For filesystems that\n" + "clear the cached info and force the file to be re-evaluated.??This\n" + "detection was dependent on i_version changing.??For filesystems that\n" "do not support i_version, remote or fuse filesystems, where the kernel\n" "does not detect the file change, the file was measured and the\n" "signature evaluated just once.\n" "\n" "With commit a2a2c3c8580a (\"ima: Use i_version only when filesystem\n" "supports it\"), which is being upstreamed in this open window,\n" - "i_version is considered an optimization. If i_version is not enabled,\n" + "i_version is considered an optimization.??If i_version is not enabled,\n" "either because the local filesystem does not support it or the\n" "filesystem wasn't mounted with i_version, the file will now always be\n" "re-evaluated.\n" "\n" "That patch does not address FUSE or remote filesystems, as the kernel\n" - "does not detect the change. Further, even if the kernel could detect\n" + "does not detect the change.??Further, even if the kernel could detect\n" "the change, FUSE filesystems by definition are untrusted.\n" "\n" "The original patches addressed FUSE filesystems, by defining a new IMA\n" "policy option, forcing the file to be re-evaluated based on the\n" - "filesystem magic number. All of the changes were in the IMA\n" - "subsystem. These patches are the result of Christoph's comment on the\n" + "filesystem magic number. ?All of the changes were in the IMA\n" + "subsystem. ?These patches are the result of Christoph's comment on the\n" "original patches saying, \"ima has no business looking at either the\n" "name _or_ the magic number.\"\n" "\n" @@ -63,10 +49,10 @@ "Mimi\n" "\n" "> \n" - "> Cc: linux-kernel@vger.kernel.org\n" - "> Cc: linux-integrity@vger.kernel.org\n" - "> Cc: linux-security-module@vger.kernel.org\n" - "> Cc: linux-fsdevel@vger.kernel.org\n" + "> Cc: linux-kernel at vger.kernel.org\n" + "> Cc: linux-integrity at vger.kernel.org\n" + "> Cc: linux-security-module at vger.kernel.org\n" + "> Cc: linux-fsdevel at vger.kernel.org\n" "> Cc: Miklos Szeredi <miklos@szeredi.hu>\n" "> Cc: Alexander Viro <viro@zeniv.linux.org.uk>\n" "> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>\n" @@ -106,6 +92,11 @@ "> +#define FS_IMA_NO_CACHE\t\t16\t/* Force IMA to re-measure, re-appraise, re-audit files */\n" "> #define FS_RENAME_DOES_D_MOVE\t32768\t/* FS will handle d_move() during rename() internally. */\n" "> \tstruct dentry *(*mount) (struct file_system_type *, int,\n" - "> \t\t const char *, void *);" + "> \t\t const char *, void *);\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -391ab001ed5026dfe95931deb4e43d5045f0099ac39caed3eb0538559b9ebaf7 +5c7e3344f8fefc3b0dcca2aaeae582f4d9c50a26a93b82961e52f81e8ccaf888
diff --git a/a/1.txt b/N2/1.txt index f0db2b5..3de5e12 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -12,27 +12,27 @@ On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote: Both IMA-measurement and IMA-appraisal cache the integrity results and are dependent on the kernel to detect when a file changes in order to -clear the cached info and force the file to be re-evaluated. This -detection was dependent on i_version changing. For filesystems that +clear the cached info and force the file to be re-evaluated. This +detection was dependent on i_version changing. For filesystems that do not support i_version, remote or fuse filesystems, where the kernel does not detect the file change, the file was measured and the signature evaluated just once. With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it"), which is being upstreamed in this open window, -i_version is considered an optimization. If i_version is not enabled, +i_version is considered an optimization. If i_version is not enabled, either because the local filesystem does not support it or the filesystem wasn't mounted with i_version, the file will now always be re-evaluated. That patch does not address FUSE or remote filesystems, as the kernel -does not detect the change. Further, even if the kernel could detect +does not detect the change. Further, even if the kernel could detect the change, FUSE filesystems by definition are untrusted. The original patches addressed FUSE filesystems, by defining a new IMA policy option, forcing the file to be re-evaluated based on the -filesystem magic number. All of the changes were in the IMA -subsystem. These patches are the result of Christoph's comment on the +filesystem magic number. All of the changes were in the IMA +subsystem. These patches are the result of Christoph's comment on the original patches saying, "ima has no business looking at either the name _or_ the magic number." diff --git a/a/content_digest b/N2/content_digest index 6b80e63..291ae94 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -34,27 +34,27 @@ "\n" "Both IMA-measurement and IMA-appraisal cache the integrity results and\n" "are dependent on the kernel to detect when a file changes in order to\n" - "clear the cached info and force the file to be re-evaluated. This\n" - "detection was dependent on i_version changing. For filesystems that\n" + "clear the cached info and force the file to be re-evaluated.\302\240\302\240This\n" + "detection was dependent on i_version changing.\302\240\302\240For filesystems that\n" "do not support i_version, remote or fuse filesystems, where the kernel\n" "does not detect the file change, the file was measured and the\n" "signature evaluated just once.\n" "\n" "With commit a2a2c3c8580a (\"ima: Use i_version only when filesystem\n" "supports it\"), which is being upstreamed in this open window,\n" - "i_version is considered an optimization. If i_version is not enabled,\n" + "i_version is considered an optimization.\302\240\302\240If i_version is not enabled,\n" "either because the local filesystem does not support it or the\n" "filesystem wasn't mounted with i_version, the file will now always be\n" "re-evaluated.\n" "\n" "That patch does not address FUSE or remote filesystems, as the kernel\n" - "does not detect the change. Further, even if the kernel could detect\n" + "does not detect the change.\302\240\302\240Further, even if the kernel could detect\n" "the change, FUSE filesystems by definition are untrusted.\n" "\n" "The original patches addressed FUSE filesystems, by defining a new IMA\n" "policy option, forcing the file to be re-evaluated based on the\n" - "filesystem magic number. All of the changes were in the IMA\n" - "subsystem. These patches are the result of Christoph's comment on the\n" + "filesystem magic number. \302\240All of the changes were in the IMA\n" + "subsystem. \302\240These patches are the result of Christoph's comment on the\n" "original patches saying, \"ima has no business looking at either the\n" "name _or_ the magic number.\"\n" "\n" @@ -108,4 +108,4 @@ "> \tstruct dentry *(*mount) (struct file_system_type *, int,\n" "> \t\t const char *, void *);" -391ab001ed5026dfe95931deb4e43d5045f0099ac39caed3eb0538559b9ebaf7 +97547fb668b2a72158f749132294c77a045363ab12511209d259289a11816250
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.