diff for duplicates of <87fu38jq98.fsf@xmission.com> diff --git a/a/1.txt b/N1/1.txt index c0ee6bb..8e1702c 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -71,8 +71,3 @@ policy. Enforcing any quality controls in the signed executables should trivially prevent kexec_load from being used. Eric - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec diff --git a/a/content_digest b/N1/content_digest index 1e98be5..786c05d 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -8,13 +8,13 @@ "Date\0Thu, 03 May 2018 18:03:47 -0500\0" "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Cc\0Kees Cook <keescook@chromium.org>" - kernel-hardening@lists.openwall.com - kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Matthew Garrett <mjg59@google.com> David Howells <dhowells@redhat.com> + Matthew Garrett <mjg59@google.com> + linux-integrity@vger.kernel.org linux-security-module@vger.kernel.org - " linux-integrity@vger.kernel.org\0" + kexec@lists.infradead.org + linux-kernel@vger.kernel.org + " kernel-hardening@lists.openwall.com\0" "\00:1\0" "b\0" "Mimi Zohar <zohar@linux.vnet.ibm.com> writes:\n" @@ -89,11 +89,6 @@ "policy. Enforcing any quality controls in the signed executables should\n" "trivially prevent kexec_load from being used.\n" "\n" - "Eric\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + Eric -c3acbb623accee99a9b35cad97e1222481dcb1fff3e27f95be8c630b493330c4 +a2ccf036a0320a30c6f8fb361284236834926a43f742d0208bbdbcb9584d5955
diff --git a/a/1.txt b/N2/1.txt index c0ee6bb..4fccc8a 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -22,11 +22,11 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes: >> >> instrument of policy. >> > >> > True, for those building their own kernel, they can disable the old ->> > syscalls. The concern is not for those building their own kernels, ->> > but for those using stock kernels. +>> > syscalls. The concern is not for those building their own kernels, +>> > but for those using stock kernels. >> > >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an ->> > IMA specific hook, other LSMs can piggy back on top of it. Currently, +>> > IMA specific hook, other LSMs can piggy back on top of it. Currently, >> > both load_pin and SELinux are gating the kernel module syscalls based >> > on security_kernel_read_file. >> > @@ -43,7 +43,7 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes: > Suppose a system owner wants to define a system wide policy that > requires all code be signed - kernel modules, firmware, kexec image & > initramfs, executables, mmapped files, etc - without having to rebuild -> the kernel. Without a call in kexec_load that isn't possible. +> the kernel. Without a call in kexec_load that isn't possible. Of course it is. You just make it a requirement that before an executable will be signed it will be audited to see that it doesn't @@ -71,8 +71,3 @@ policy. Enforcing any quality controls in the signed executables should trivially prevent kexec_load from being used. Eric - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec diff --git a/a/content_digest b/N2/content_digest index 1e98be5..0c57259 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -8,13 +8,13 @@ "Date\0Thu, 03 May 2018 18:03:47 -0500\0" "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Cc\0Kees Cook <keescook@chromium.org>" - kernel-hardening@lists.openwall.com - kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Matthew Garrett <mjg59@google.com> David Howells <dhowells@redhat.com> + Matthew Garrett <mjg59@google.com> + linux-integrity@vger.kernel.org linux-security-module@vger.kernel.org - " linux-integrity@vger.kernel.org\0" + kexec@lists.infradead.org + linux-kernel@vger.kernel.org + " kernel-hardening@lists.openwall.com\0" "\00:1\0" "b\0" "Mimi Zohar <zohar@linux.vnet.ibm.com> writes:\n" @@ -41,11 +41,11 @@ ">> >> instrument of policy.\n" ">> >\n" ">> > True, for those building their own kernel, they can disable the old\n" - ">> > syscalls. \302\240The concern is not for those building their own kernels,\n" - ">> > but for those using stock kernels. \302\240\n" + ">> > syscalls. The concern is not for those building their own kernels,\n" + ">> > but for those using stock kernels. \n" ">> >\n" ">> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n" - ">> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n" + ">> > IMA specific hook, other LSMs can piggy back on top of it. Currently,\n" ">> > both load_pin and SELinux are gating the kernel module syscalls based\n" ">> > on security_kernel_read_file.\n" ">> >\n" @@ -62,7 +62,7 @@ "> Suppose a system owner wants to define a system wide policy that\n" "> requires all code be signed - kernel modules, firmware, kexec image &\n" "> initramfs, executables, mmapped files, etc - without having to rebuild\n" - "> the kernel. \302\240Without a call in kexec_load that isn't possible.\n" + "> the kernel. Without a call in kexec_load that isn't possible.\n" "\n" "Of course it is. You just make it a requirement that before an\n" "executable will be signed it will be audited to see that it doesn't\n" @@ -89,11 +89,6 @@ "policy. Enforcing any quality controls in the signed executables should\n" "trivially prevent kexec_load from being used.\n" "\n" - "Eric\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + Eric -c3acbb623accee99a9b35cad97e1222481dcb1fff3e27f95be8c630b493330c4 +40d193e8b96f05cea8d01c591afa39045498998fdb4e786b6c8f70fa652d8778
diff --git a/a/1.txt b/N3/1.txt index c0ee6bb..20d2b47 100644 --- a/a/1.txt +++ b/N3/1.txt @@ -22,11 +22,11 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes: >> >> instrument of policy. >> > >> > True, for those building their own kernel, they can disable the old ->> > syscalls. The concern is not for those building their own kernels, ->> > but for those using stock kernels. +>> > syscalls. ?The concern is not for those building their own kernels, +>> > but for those using stock kernels. ? >> > >> > By adding an LSM hook here in the kexec_load syscall, as opposed to an ->> > IMA specific hook, other LSMs can piggy back on top of it. Currently, +>> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently, >> > both load_pin and SELinux are gating the kernel module syscalls based >> > on security_kernel_read_file. >> > @@ -43,7 +43,7 @@ Mimi Zohar <zohar@linux.vnet.ibm.com> writes: > Suppose a system owner wants to define a system wide policy that > requires all code be signed - kernel modules, firmware, kexec image & > initramfs, executables, mmapped files, etc - without having to rebuild -> the kernel. Without a call in kexec_load that isn't possible. +> the kernel. ?Without a call in kexec_load that isn't possible. Of course it is. You just make it a requirement that before an executable will be signed it will be audited to see that it doesn't @@ -71,8 +71,7 @@ policy. Enforcing any quality controls in the signed executables should trivially prevent kexec_load from being used. Eric - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N3/content_digest index 1e98be5..a036bb1 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -4,17 +4,9 @@ "ref\087d0yco1vy.fsf@xmission.com\0" "ref\01525384675.3539.89.camel@linux.vnet.ibm.com\0" "From\0ebiederm@xmission.com (Eric W. Biederman)\0" - "Subject\0Re: [PATCH 0/3] kexec: limit kexec_load syscall\0" + "Subject\0[PATCH 0/3] kexec: limit kexec_load syscall\0" "Date\0Thu, 03 May 2018 18:03:47 -0500\0" - "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Cc\0Kees Cook <keescook@chromium.org>" - kernel-hardening@lists.openwall.com - kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Matthew Garrett <mjg59@google.com> - David Howells <dhowells@redhat.com> - linux-security-module@vger.kernel.org - " linux-integrity@vger.kernel.org\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "Mimi Zohar <zohar@linux.vnet.ibm.com> writes:\n" @@ -41,11 +33,11 @@ ">> >> instrument of policy.\n" ">> >\n" ">> > True, for those building their own kernel, they can disable the old\n" - ">> > syscalls. \302\240The concern is not for those building their own kernels,\n" - ">> > but for those using stock kernels. \302\240\n" + ">> > syscalls. ?The concern is not for those building their own kernels,\n" + ">> > but for those using stock kernels. ?\n" ">> >\n" ">> > By adding an LSM hook here in the kexec_load syscall, as opposed to an\n" - ">> > IMA specific hook, other LSMs can piggy back on top of it. \302\240Currently,\n" + ">> > IMA specific hook, other LSMs can piggy back on top of it. ?Currently,\n" ">> > both load_pin and SELinux are gating the kernel module syscalls based\n" ">> > on security_kernel_read_file.\n" ">> >\n" @@ -62,7 +54,7 @@ "> Suppose a system owner wants to define a system wide policy that\n" "> requires all code be signed - kernel modules, firmware, kexec image &\n" "> initramfs, executables, mmapped files, etc - without having to rebuild\n" - "> the kernel. \302\240Without a call in kexec_load that isn't possible.\n" + "> the kernel. ?Without a call in kexec_load that isn't possible.\n" "\n" "Of course it is. You just make it a requirement that before an\n" "executable will be signed it will be audited to see that it doesn't\n" @@ -90,10 +82,9 @@ "trivially prevent kexec_load from being used.\n" "\n" "Eric\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -c3acbb623accee99a9b35cad97e1222481dcb1fff3e27f95be8c630b493330c4 +982688310c0c2599b7e2f5a028b50c396ce8d69539988075bc339675ecbde189
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.