Hi
It's hard to say what causes this. Perhaps dm-crypt exhausts all the
higher-order pages and some subsystem stalls because of it.
In drivers/md/dm-crypt.c in function crypt_alloc_buffer there is
"unsigned int order = MAX_ORDER - 1"
What happens if you set the "order" variable to some small va
dm-error is used in several test cases in the xfstests test suite to
check the handling of IO errors in file syatems. However, with several
file systems getting native support for zoned block devices (e.g. btrfs
and f2fs), dm-error lack of zoned block device support creates problems
as the file sys
On Oct 4, 2023 Fan Wu wrote:
>
> IPE's interpretation of the what the user trusts is accomplished through
> its policy. IPE's design is to not provide support for a single trust
> provider, but to support multiple providers to enable the end-user to
> choose the best one to seek their needs.
>
On Oct 4, 2023 Fan Wu wrote:
>
> IPE must have a centralized function to evaluate incoming callers
> against IPE's policy. This iteration of the policy for against the rules
> for that specific caller is known as the evaluation loop.
>
> Signed-off-by: Deven Bowers
> Signed-off-by: Fan Wu
> -
On Oct 4, 2023 Fan Wu wrote:
>
> IPE is designed to provide system level trust guarantees, this usually
> implies that trust starts from bootup with a hardware root of trust,
> which validates the bootloader. After this, the bootloader verifies the
> kernel and the initramfs.
>
> As there's no
On Oct 4, 2023 Fan Wu wrote:
>
> Users of IPE require a way to identify when and why an operation fails,
> allowing them to both respond to violations of policy and be notified
> of potentially malicious actions on their systems with respect to IPE
> itself.
>
> This patch introduces 3 new audi
On Oct 4, 2023 Fan Wu wrote:
>
> IPE's initial goal is to control both execution and the loading of
> kernel modules based on the system's definition of trust. It
> accomplishes this by plugging into the security hooks for
> bprm_check_security, file_mprotect, mmap_file, kernel_load_data,
> and
On Oct 4, 2023 Fan Wu wrote:
>
> This patch adds a target finalize hook.
>
> The hook is triggered just before activating an inactive table of a
> mapped device. If it returns an error the __bind get cancelled.
>
> The dm-verity target will use this hook to attach the dm-verity's
> roothash me
On Oct 4, 2023 Fan Wu wrote:
>
> Enable IPE policy authors to indicate trust for a singular fsverity
> file, identified by the digest information, through "fsverity_digest"
> and all files using fsverity's builtin signatures via
> "fsverity_signature".
>
> This enables file-level integrity clai
On Oct 4, 2023 Fan Wu wrote:
>
> Allows author of IPE policy to indicate trust for a singular dm-verity
> volume, identified by roothash, through "dmverity_roothash" and all
> signed dm-verity volumes, through "dmverity_signature".
>
> Signed-off-by: Deven Bowers
> Signed-off-by: Fan Wu
> ---
On Oct 4, 2023 Fan Wu wrote:
>
> Enables an IPE policy to be enforced from kernel start, enabling access
> control based on trust from kernel startup. This is accomplished by
> transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a
> c-string literal that is parsed at kernel start
On Oct 4, 2023 Fan Wu wrote:
>
> fsverity represents a mechanism to support both integrity and
> authenticity protection of a file, supporting both signed and unsigned
> digests.
>
> An LSM which controls access to a resource based on authenticity and
> integrity of said resource, can then use
On Oct 4, 2023 Fan Wu wrote:
>
> dm-verity provides a strong guarantee of a block device's integrity. As
> a generic way to check the integrity of a block device, it provides
> those integrity guarantees to its higher layers, including the filesystem
> level.
>
> An LSM that control access to a
On Oct 4, 2023 Fan Wu wrote:
>
> The device-mapper has a flag to mark targets as singleton, which is a
> required flag for immutable targets. Without this flag, multiple
> dm-verity targets can be added to a mapped device, which has no
> practical use cases and will let dm_table_get_immutable_ta
On Oct 4, 2023 Fan Wu wrote:
>
> Add various happy/unhappy unit tests for both IPE's parser.
I'm going to suggest: "... for IPE's policy parser."
Also, aside from the policy parser tests, are there any other IPE
functional tests? We do have a testing guideline for new LSM
submissions:
"New
On Oct 4, 2023 Fan Wu wrote:
>
> IPE, like SELinux, supports a permissive mode. This mode allows policy
> authors to test and evaluate IPE policy without it effecting their
> programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS
> be reported.
>
> This patch adds the following audit recor
Thanks, this looks good to me and fixes the problems I've seen
Reviewed-by: Christoph Hellwig
Tested-by: Christoph Hellwig
FTI, this is the xfstests change we need to use dm-error for zoned
devices in xfstests:
diff --git a/common/rc b/common/rc
index 741579af..9e07d79d 100644
--- a/common/rc
17 matches
Mail list logo
