Re: [dm-devel] [PATCH] md: use preallocated hashed wait queues instead of mddev->sb_wait

On Tue, Jan 24, 2023 at 10:06 PM Mikulas Patocka wrote: > > There's a theoretical race condition in md. > > super_written calls: > if (atomic_dec_and_test(&mddev->pending_writes)) > wake_up(&mddev->sb_wait); > > If the process is rescheduled just after atomic_dec_and_test a

Re: [dm-devel] [PATCH] md: use preallocated hashed wait queues instead of mddev->sb_wait

Hi Mikulas Can we fix this by this: --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -929,10 +929,10 @@ static void super_written(struct bio *bio) bio_put(bio); - rdev_dec_pending(rdev, mddev); - if (atomic_dec_and_test(&mddev->pending_writes)) wake_up(&mddev

[dm-devel] [RFC PATCH v9 09/16] block|security: add LSM blob to block_device

From: Deven Bowers block_device structures can have valuable security properties, based on how they are created, and what subsystem manages them. By adding LSM storage to this structure, this data can be accessed at the LSM layer. Signed-off-by: Deven Bowers Signed-off-by: Fan Wu Reviewed-by:

[dm-devel] [RFC PATCH v9 04/16] security: add new securityfs delete function

When deleting a directory in the security file system, the existing securityfs_remove requires the directory to be empty, otherwise it will do nothing. This leads to a potential risk that the security file system might be in an unclean state when the intentded deletion did not happen. This commit

[dm-devel] [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook

From: Deven Bowers dm-verity provides a strong guarantee of a block device's integrity. As a generic way to check the integrity of a block device, it provides those integrity guarantees to its higher layers, including the filesystem level. An LSM that control access to a resource on the system b

[dm-devel] [RFC PATCH v9 15/16] ipe: kunit test for parser

From: Deven Bowers Add various happy/unhappy unit tests for both IPE's parser. Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v1-v6: + Not present v7: Introduced v8: + Remove the kunit tests with respect to the fsverity digest, as these require significant changes to work w

[dm-devel] [RFC PATCH v9 01/16] security: add ipe lsm

From: Deven Bowers Integrity Policy Enforcement (IPE) is an LSM that provides an complimentary approach to Mandatory Access Control than existing LSMs today. Existing LSMs have centered around the concept of access to a resource should be controlled by the current user's credentials. IPE's appro

[dm-devel] [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider

Enable IPE policy authors to indicate trust for a singular fsverity file, identified by the digest information, through "fsverity_digest" and all files using fsverity's builtin signatures via "fsverity_signature". This enables file-level integrity claims to be expressed in IPE, allowing individual

[dm-devel] [RFC PATCH v9 14/16] scripts: add boot policy generation program

From: Deven Bowers Enables an IPE policy to be enforced from kernel start, enabling access control based on trust from kernel startup. This is accomplished by transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a c-string literal that is parsed at kernel startup as an unsigned pol

Re: [dm-devel] [PATCH] dm: remove unnecessary check when using dm_get_mdptr()

ping ? Any comments on this clean up patch ? On 1/18/2023 9:16 PM, Hou Tao wrote: > ping ? > > On 12/16/2022 12:23 PM, Hou Tao wrote: >> From: Hou Tao >> >> __hash_remove() removes hash_cell with _hash_lock locked, so acquiring >> _hash_lock can guarantee no-NULL hc returned from dm_get_mdptr() m

[dm-devel] [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

From: Deven Bowers Users of IPE require a way to identify when and why an operation fails, allowing them to both respond to violations of policy and be notified of potentially malicious actions on their systens with respect to IPE itself. The new 1420 audit, AUDIT_IPE_ACCESS indicates the result

[dm-devel] [RFC PATCH v9 16/16] documentation: add ipe documentation

From: Deven Bowers Add IPE's admin and developer documentation to the kernel tree. Co-developed-by: Fan Wu Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + No Changes v3: + Add Acked-by + Fixup code block syntax + Fix a minor grammatical issue. v4: + Update documentatio

Re: [dm-devel] [RFC PATCH v9 16/16] documentation: add ipe documentation

On Mon, Jan 30, 2023 at 02:57:31PM -0800, Fan Wu wrote: > diff --git a/Documentation/admin-guide/LSM/ipe.rst > b/Documentation/admin-guide/LSM/ipe.rst > new file mode 100644 > index ..b676cea62b2e > --- /dev/null > +++ b/Documentation/admin-guide/LSM/ipe.rst > @@ -0,0 +1,729 @@ > +.. S

Re: [dm-devel] [PATCH 1/9] Documentation: admin-guide: correct spelling

On 1/30/2023 4:40 AM, Randy Dunlap wrote: Correct spelling problems for Documentation/admin-guide/ as reported by codespell. Signed-off-by: Randy Dunlap Cc: Jonathan Corbet Cc: linux-...@vger.kernel.org Cc: Tejun Heo Cc: Zefan Li Cc: Johannes Weiner Cc: cgro...@vger.kernel.org Cc: Alasda

[dm-devel] [RFC PATCH v9 02/16] ipe: add policy parser

From: Deven Bowers IPE's interpretation of the what the user trusts is accomplished through its policy. IPE's design is to not provide support for a single trust provider, but to support multiple providers to enable the end-user to choose the best one to seek their needs. This requires the polic

[dm-devel] [RFC PATCH v9 05/16] ipe: add userspace interface

From: Deven Bowers As is typical with LSMs, IPE uses securityfs as its interface with userspace. for a complete list of the interfaces and the respective inputs/outputs, please see the documentation under admin-guide/LSM/ipe.rst Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + Sp

[dm-devel] [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read

From: Deven Bowers IPE's initial goal is to control both execution and the loading of kernel modules based on the system's definition of trust. It accomplishes this by plugging into the security hooks for bprm_check_security, file_mprotect, mmap_file, kernel_load_data, and kernel_read_data. Sign

[dm-devel] [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider

From: Deven Bowers IPE must have a centralized function to evaluate incoming callers against IPE's policy. This iteration of the policy against the rules for that specific caller is known as the evaluation loop. In addition, IPE is designed to provide system level trust guarantees, this usually

[dm-devel] [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE)

Overview: - IPE is a Linux Security Module which takes a complimentary approach to access control. Whereas existing mandatory access control mechanisms base their decisions on labels and paths, IPE instead determines whether or not an operation should be allowed based on immutable security

[dm-devel] [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider

From: Deven Bowers Allows author of IPE policy to indicate trust for a singular dm-verity volume, identified by roothash, through "dmverity_roothash" and all signed dm-verity volumes, through "dmverity_signature". Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + No Changes v3:

[dm-devel] [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook

fsverity represents a mechanism to support both integrity and authenticity protection of a file, supporting both signed and unsigned digests. An LSM which controls access to a resource based on authenticity and integrity of said resource, can then use this data to make an informed decision on the

[dm-devel] [RFC PATCH v9 08/16] ipe: add permissive toggle

From: Deven Bowers IPE, like SELinux, supports a permissive mode. This mode allows policy authors to test and evaluate IPE policy without it effecting their programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS be reported. This patch adds the following audit records: audit: MAC_STATUS