diff for duplicates of <1521140467.5348.94.camel@HansenPartnership.com> diff --git a/a/1.txt b/N1/1.txt index 7028e1c..10c0511 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -7,9 +7,9 @@ On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > > > > > > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e > > > > Author: David Howells <dhowells@redhat.com> -> > > > Date: Tue Sep 24 10:35:19 2013 +0100 +> > > > Date: Tue Sep 24 10:35:19 2013 +0100 > > > > -> > > > KEYS: Add per-user_namespace registers for persistent +> > > > KEYS: Add per-user_namespace registers for persistent > > > > per-UID > > > > kerberos caches > > > The benefit for IMA would be that this would then tie the keys @@ -18,18 +18,18 @@ On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > > > which is now hooked to the user namespace, and you join that user > > > namespace but your files don't have signatures, nothing will > > > execute anymore. That's now a side effect of joining this user -> > > namespace unless we have a magic exception. My feeling is, +> > > namespace unless we have a magic exception. My feeling is, > > > people may not like that... > > Agree, but I think the magic might be to populate the ima keyring -> > with the parent on user_ns creation. That way the user_ns owner +> > with the parent on user_ns creation. That way the user_ns owner > > can delete the parent keys if they don't like them, but by default > > the parent appraisal policy should just work. > > That may add keys to your keyring but doesn't get you signatures on -> your files. +> your files. -But it doesn't need to. The only way we'd get a failure is if the file -is already being appraised and we lose access to the key. If the +But it doesn't need to. The only way we'd get a failure is if the file +is already being appraised and we lose access to the key. If the parent policy isn't appraisal, entering the IMA NS won't cause appraisal to be turned on unless the owner asks for it, in which case it's caveat emptor: As it works today, if as root I add a default @@ -37,8 +37,3 @@ appraisal policy to IMA without either a key or xattrs, I get an unusable system. James - -_______________________________________________ -Containers mailing list -Containers@lists.linux-foundation.org -https://lists.linuxfoundation.org/mailman/listinfo/containers diff --git a/a/content_digest b/N1/content_digest index 5b39505..8af7546 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -6,21 +6,20 @@ "ref\02183a3b4-6270-d2e9-70ad-a7399eb1681c@linux.vnet.ibm.com\0" "ref\01521139535.5348.89.camel@HansenPartnership.com\0" "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c@linux.vnet.ibm.com\0" - "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>\0" + "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" "Subject\0Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support\0" "Date\0Thu, 15 Mar 2018 12:01:07 -0700\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>" - " Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>\0" - "Cc\0mkayaalp-4hyTIkVWTs8LubxHQvXPfYdd74u8MsAO@public.gmane.org" - Mehmet Kayaalp <mkayaalp-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - sunyuqiong1988-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - david.safford-JJi787mZWgc@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - linux-integrity-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" + "To\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + " Eric W. Biederman <ebiederm@xmission.com>\0" + "Cc\0mkayaalp@cs.binghamton.edu" + Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> + sunyuqiong1988@gmail.com + containers@lists.linux-foundation.org + linux-kernel@vger.kernel.org + david.safford@ge.com + linux-security-module@vger.kernel.org + linux-integrity@vger.kernel.org + " zohar@linux.vnet.ibm.com\0" "\00:1\0" "b\0" "On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:\n" @@ -32,9 +31,9 @@ "> > > > \n" "> > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e\n" "> > > > Author: David Howells <dhowells@redhat.com>\n" - "> > > > Date:\302\240\302\240\302\240Tue Sep 24 10:35:19 2013 +0100\n" + "> > > > Date: Tue Sep 24 10:35:19 2013 +0100\n" "> > > > \n" - "> > > > \302\240\302\240\302\240\302\240\302\240\302\240KEYS: Add per-user_namespace registers for persistent\n" + "> > > > KEYS: Add per-user_namespace registers for persistent\n" "> > > > per-UID\n" "> > > > kerberos caches\n" "> > > The benefit for IMA would be that this would then tie the keys\n" @@ -43,29 +42,24 @@ "> > > which is now hooked to the user namespace, and you join that user\n" "> > > namespace but your files don't have signatures, nothing will\n" "> > > execute anymore. That's now a side effect of joining this user\n" - "> > > namespace unless we have a magic\302\240\302\240exception. My feeling is,\n" + "> > > namespace unless we have a magic exception. My feeling is,\n" "> > > people may not like that...\n" "> > Agree, but I think the magic might be to populate the ima keyring\n" - "> > with the parent on user_ns creation.\302\240\302\240That way the user_ns owner\n" + "> > with the parent on user_ns creation. That way the user_ns owner\n" "> > can delete the parent keys if they don't like them, but by default\n" "> > the parent appraisal policy should just work.\n" "> \n" "> That may add keys to your keyring but doesn't get you signatures on\n" - "> your \302\240files.\n" + "> your files.\n" "\n" - "But it doesn't need to. \302\240The only way we'd get a failure is if the file\n" - "is already being appraised and we lose access to the key. \302\240If the\n" + "But it doesn't need to. The only way we'd get a failure is if the file\n" + "is already being appraised and we lose access to the key. If the\n" "parent policy isn't appraisal, entering the IMA NS won't cause\n" "appraisal to be turned on unless the owner asks for it, in which case\n" "it's caveat emptor: As it works today, if as root I add a default\n" "appraisal policy to IMA without either a key or xattrs, I get an\n" "unusable system.\n" "\n" - "James\n" - "\n" - "_______________________________________________\n" - "Containers mailing list\n" - "Containers@lists.linux-foundation.org\n" - https://lists.linuxfoundation.org/mailman/listinfo/containers + James -73066eaf3eb3f9a55210dc0b68bbc6c6eef3e5c3368297a0789ab6487a39f896 +27b4a1381cdc651e2d781a5229cc2aa5dbec0054987f63d49eb82f822a087acd
diff --git a/a/1.txt b/N2/1.txt index 7028e1c..31eeb55 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -7,9 +7,9 @@ On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > > > > > > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e > > > > Author: David Howells <dhowells@redhat.com> -> > > > Date: Tue Sep 24 10:35:19 2013 +0100 +> > > > Date:???Tue Sep 24 10:35:19 2013 +0100 > > > > -> > > > KEYS: Add per-user_namespace registers for persistent +> > > > ??????KEYS: Add per-user_namespace registers for persistent > > > > per-UID > > > > kerberos caches > > > The benefit for IMA would be that this would then tie the keys @@ -18,18 +18,18 @@ On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > > > which is now hooked to the user namespace, and you join that user > > > namespace but your files don't have signatures, nothing will > > > execute anymore. That's now a side effect of joining this user -> > > namespace unless we have a magic exception. My feeling is, +> > > namespace unless we have a magic??exception. My feeling is, > > > people may not like that... > > Agree, but I think the magic might be to populate the ima keyring -> > with the parent on user_ns creation. That way the user_ns owner +> > with the parent on user_ns creation.??That way the user_ns owner > > can delete the parent keys if they don't like them, but by default > > the parent appraisal policy should just work. > > That may add keys to your keyring but doesn't get you signatures on -> your files. +> your ?files. -But it doesn't need to. The only way we'd get a failure is if the file -is already being appraised and we lose access to the key. If the +But it doesn't need to. ?The only way we'd get a failure is if the file +is already being appraised and we lose access to the key. ?If the parent policy isn't appraisal, entering the IMA NS won't cause appraisal to be turned on unless the owner asks for it, in which case it's caveat emptor: As it works today, if as root I add a default @@ -38,7 +38,7 @@ unusable system. James -_______________________________________________ -Containers mailing list -Containers@lists.linux-foundation.org -https://lists.linuxfoundation.org/mailman/listinfo/containers +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 5b39505..f8e1a9d 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -6,21 +6,10 @@ "ref\02183a3b4-6270-d2e9-70ad-a7399eb1681c@linux.vnet.ibm.com\0" "ref\01521139535.5348.89.camel@HansenPartnership.com\0" "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c@linux.vnet.ibm.com\0" - "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>\0" - "Subject\0Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support\0" + "From\0James.Bottomley@hansenpartnership.com (James Bottomley)\0" + "Subject\0[RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support\0" "Date\0Thu, 15 Mar 2018 12:01:07 -0700\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>" - " Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>\0" - "Cc\0mkayaalp-4hyTIkVWTs8LubxHQvXPfYdd74u8MsAO@public.gmane.org" - Mehmet Kayaalp <mkayaalp-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - sunyuqiong1988-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - david.safford-JJi787mZWgc@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - linux-integrity-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:\n" @@ -32,9 +21,9 @@ "> > > > \n" "> > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e\n" "> > > > Author: David Howells <dhowells@redhat.com>\n" - "> > > > Date:\302\240\302\240\302\240Tue Sep 24 10:35:19 2013 +0100\n" + "> > > > Date:???Tue Sep 24 10:35:19 2013 +0100\n" "> > > > \n" - "> > > > \302\240\302\240\302\240\302\240\302\240\302\240KEYS: Add per-user_namespace registers for persistent\n" + "> > > > ??????KEYS: Add per-user_namespace registers for persistent\n" "> > > > per-UID\n" "> > > > kerberos caches\n" "> > > The benefit for IMA would be that this would then tie the keys\n" @@ -43,18 +32,18 @@ "> > > which is now hooked to the user namespace, and you join that user\n" "> > > namespace but your files don't have signatures, nothing will\n" "> > > execute anymore. That's now a side effect of joining this user\n" - "> > > namespace unless we have a magic\302\240\302\240exception. My feeling is,\n" + "> > > namespace unless we have a magic??exception. My feeling is,\n" "> > > people may not like that...\n" "> > Agree, but I think the magic might be to populate the ima keyring\n" - "> > with the parent on user_ns creation.\302\240\302\240That way the user_ns owner\n" + "> > with the parent on user_ns creation.??That way the user_ns owner\n" "> > can delete the parent keys if they don't like them, but by default\n" "> > the parent appraisal policy should just work.\n" "> \n" "> That may add keys to your keyring but doesn't get you signatures on\n" - "> your \302\240files.\n" + "> your ?files.\n" "\n" - "But it doesn't need to. \302\240The only way we'd get a failure is if the file\n" - "is already being appraised and we lose access to the key. \302\240If the\n" + "But it doesn't need to. ?The only way we'd get a failure is if the file\n" + "is already being appraised and we lose access to the key. ?If the\n" "parent policy isn't appraisal, entering the IMA NS won't cause\n" "appraisal to be turned on unless the owner asks for it, in which case\n" "it's caveat emptor: As it works today, if as root I add a default\n" @@ -63,9 +52,9 @@ "\n" "James\n" "\n" - "_______________________________________________\n" - "Containers mailing list\n" - "Containers@lists.linux-foundation.org\n" - https://lists.linuxfoundation.org/mailman/listinfo/containers + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -73066eaf3eb3f9a55210dc0b68bbc6c6eef3e5c3368297a0789ab6487a39f896 +401b0bc704323250d94f0f157a89d3e93530d66ccac69f5b226e52240aa9a96a
diff --git a/a/1.txt b/N3/1.txt index 7028e1c..e2e9921 100644 --- a/a/1.txt +++ b/N3/1.txt @@ -37,8 +37,3 @@ appraisal policy to IMA without either a key or xattrs, I get an unusable system. James - -_______________________________________________ -Containers mailing list -Containers@lists.linux-foundation.org -https://lists.linuxfoundation.org/mailman/listinfo/containers diff --git a/a/content_digest b/N3/content_digest index 5b39505..1d350ac 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -6,21 +6,20 @@ "ref\02183a3b4-6270-d2e9-70ad-a7399eb1681c@linux.vnet.ibm.com\0" "ref\01521139535.5348.89.camel@HansenPartnership.com\0" "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c@linux.vnet.ibm.com\0" - "ref\00dc5b856-8dc6-7b5a-eeac-febd19f6498c-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>\0" + "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" "Subject\0Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support\0" "Date\0Thu, 15 Mar 2018 12:01:07 -0700\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>" - " Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>\0" - "Cc\0mkayaalp-4hyTIkVWTs8LubxHQvXPfYdd74u8MsAO@public.gmane.org" - Mehmet Kayaalp <mkayaalp-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - sunyuqiong1988-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - david.safford-JJi787mZWgc@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - linux-integrity-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" + "To\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + " Eric W. Biederman <ebiederm@xmission.com>\0" + "Cc\0mkayaalp@cs.binghamton.edu" + Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> + sunyuqiong1988@gmail.com + containers@lists.linux-foundation.org + linux-kernel@vger.kernel.org + david.safford@ge.com + linux-security-module@vger.kernel.org + linux-integrity@vger.kernel.org + " zohar@linux.vnet.ibm.com\0" "\00:1\0" "b\0" "On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:\n" @@ -61,11 +60,6 @@ "appraisal policy to IMA without either a key or xattrs, I get an\n" "unusable system.\n" "\n" - "James\n" - "\n" - "_______________________________________________\n" - "Containers mailing list\n" - "Containers@lists.linux-foundation.org\n" - https://lists.linuxfoundation.org/mailman/listinfo/containers + James -73066eaf3eb3f9a55210dc0b68bbc6c6eef3e5c3368297a0789ab6487a39f896 +ac1dad380f79e66407bb5db977423f7c986314f3cf9e706d36130761e518a9d6
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.