From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755805AbcAMSBk (ORCPT ); Wed, 13 Jan 2016 13:01:40 -0500 Received: from lan.nucleusys.com ([92.247.61.126]:55290 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755149AbcAMSBf (ORCPT ); Wed, 13 Jan 2016 13:01:35 -0500 Date: Wed, 13 Jan 2016 20:01:29 +0200 From: Petko Manolov To: Mimi Zohar Cc: David Howells , James Morris , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, mdb@juniper.net Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring Message-ID: <20160113180129.GA7826@localhost> Mail-Followup-To: Mimi Zohar , David Howells , James Morris , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, mdb@juniper.net References: <1452432410.2651.40.camel@linux.vnet.ibm.com> <20160106134525.15633.73582.stgit@warthog.procyon.org.uk> <24185.1452126854@warthog.procyon.org.uk> <1452180676.2890.21.camel@linux.vnet.ibm.com> <2033.1452447990@warthog.procyon.org.uk> <30355.1452562693@warthog.procyon.org.uk> <30974.1452618524@warthog.procyon.org.uk> <20160113163148.GA32533@bender.nucleusys.com> <1452707496.2683.14.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1452707496.2683.14.camel@linux.vnet.ibm.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 16-01-13 12:51:36, Mimi Zohar wrote: > On Wed, 2016-01-13 at 18:31 +0200, Petko Manolov wrote: > > > > I am not opposed to everything what you suggest. Since we did that work in > > parallel (your stuff and the IMA keyring additions) with no communication > > between us, we ended up with broken IMA model. I see three possibilities: > > > > - dump the IMA changes for this release (not happy about it); > > > > - try to quickly adapt the IMA system to your changes (not sure if it can be > > done easily and/or quickly) and do it properly for 4.6; > > > > - elevate .ima_mok/blacklist to system wide RW keyrings (we may miss the merge > > window); > > I beg to differ. The IMA model is not broken with the current patches being > upstreamed. The basic concepts developed will continue to be used, perhaps > not directly by IMA. > > David's proposal is a major redesign of keyrings and the system keyring in > particular. It looks promising, but will need to be reviewed. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16-01-13 12:51:36, Mimi Zohar wrote: > On Wed, 2016-01-13 at 18:31 +0200, Petko Manolov wrote: > > > > I am not opposed to everything what you suggest. Since we did that work in > > parallel (your stuff and the IMA keyring additions) with no communication > > between us, we ended up with broken IMA model. I see three possibilities: > > > > - dump the IMA changes for this release (not happy about it); > > > > - try to quickly adapt the IMA system to your changes (not sure if it can be > > done easily and/or quickly) and do it properly for 4.6; > > > > - elevate .ima_mok/blacklist to system wide RW keyrings (we may miss the merge > > window); > > I beg to differ. The IMA model is not broken with the current patches being > upstreamed. The basic concepts developed will continue to be used, perhaps > not directly by IMA. > > David's proposal is a major redesign of keyrings and the system keyring in > particular. It looks promising, but will need to be reviewed. Due to time limitations i was not able to study David's changes in detail. I only commented on what (i thought) i understood. :) I assume a wider discussion will clean out the details. Petko