Kernel

[PATCH v3 15/15] ima: extend policy language to support owner
The default appraisal policy measures all files owned by root. This patch extends the policy language with 'owner'. Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> --- Documentation/ABI/testing/ima_policy | 22 ++++++++++++++++++---- security/integrity/ima/ima_policy.c | 23 +++++++++++++++++++++-- 2 files c... 30 Jul 2010 11:53

[PATCH v3 09/15] fs: add evm_inode_post_init calls
After creating the initial LSM security extended attribute, call evm_inode_post_init_security() to create the 'security.evm' extended attribute. (Support for other fs still needed.) Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> Acked-by: Serge Hallyn <serue(a)us.ibm.com> --- fs/ext2/xattr_security.c | 31 +++... 30 Jul 2010 11:53

[PATCH v3 02/15] xattr: define vfs_getxattr_alloc and vfs_xattr_cmp
vfs_getxattr_alloc() and vfs_xattr_cmp() are two new kernel xattr helper functions. vfs_getxattr_alloc() first allocates memory for the requested xattr and then retrieves it. vfs_xattr_cmp() compares a given value with the contents of an extended attribute. Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> Acked-by:... 30 Jul 2010 11:53

[PATCH v3 12/15] ima: inode post_setattr
Changing an inode's metadata may result in our not needing to appraise the file. In such cases, we must remove 'security.ima'. Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> Acked-by: Serge Hallyn <serue(a)us.ibm.com> --- fs/attr.c | 2 ++ include/linux/ima.h | 6 ++++++ 2 files changed, 8 insert... 30 Jul 2010 11:53

[PATCH v3 00/15] EVM
Based on conversations on the SELinux mailing list with Stephan Smalley and Serge Hallyn as to EVM/IMA appraisal capabilities for setting xattrs, it was agreed, at least for the time being, they should require CAP_SYS_ADMIN, not CAP_MAC_ADMIN. Much appreciation to Stephan Smalley for resolving an EVM bug. Instead o... 30 Jul 2010 11:53

[PATCH v3 06/15] evm: inode post removexattr
When an EVM protected extended attribute is removed, update 'security.evm'. Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> Acked-by: Serge Hallyn <serue(a)us.ibm.com> --- fs/xattr.c | 5 ++++- include/linux/evm.h | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletions(-) diff --git a/fs/xat... 30 Jul 2010 11:53

[PATCH] MTD: pxa2xx: move pxa2xx_flash_probe to .devinit.text
This fixes the following warning by modpost: WARNING: vmlinux.o(.data+0x15018): Section mismatch in reference from the variable pxa2xx_flash_driver to the function .init.text:pxa2xx_flash_probe() The variable pxa2xx_flash_driver references the function __init pxa2xx_flash_probe() If the reference is valid the... 30 Jul 2010 11:53

[PATCH v3 05/15] security: imbed evm calls in security hooks
Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(), evm_inode_removexattr() in the security hooks. evm_inode_setxattr() protects security.evm xattr. evm_inode_post_setxattr() and evm_inode_removexattr() updates the hmac associated with an inode. (Assumes an LSM module protects the setting/remov... 30 Jul 2010 11:53

[PATCH v3 14/15] ima: appraise measurement required
Even if allowed to update security.ima, reset the appraisal flags, forcing re-appraisal. Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com> --- security/integrity/ima/ima_main.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.... 30 Jul 2010 11:53

[PATCH v3 11/15] ima: appraise default rules
Unlike the IMA measurement policy, the appraise policy can not be dependent on runtime process information, such as the task uid, as the 'security.ima' xattr is written on file close and must be updated each time the file changes, regardless of the current task uid. The appraise default policy appraises all files o... 30 Jul 2010 11:53