| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
IMA: Fix the incorrect definition and use of IMA_FIX_OVERLAYFS_DETECTION hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBCIAZ -------------------------------- The definition of IMA_FIX_OVERLAYFS_DETECTION is wrong with the bool field has no content, and the use of it in ima_main.c is wrong with the missing prefix CONFIG_, so correct them. Fixes: a670a0ede1e7 ("IMA: Introduce a config for fix on IMA with Overlayfs issue") Signed-off-by: Xiang Yang <xiangyang3@huawei.com> | 1 年前 | |
IMA: Support the measurement extending of TSI TMM EulerOS inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 -------------------------------- This patch support the RoT (Root of Trust) implemented by TSI TMM, which is used in virtCCA CVM feature. This patch includes the three parts: 1. Use a bool flag to determine whether the CVM is enabled. If enabled, bypass TPM. 2. Read the value of slot 0 (RIM) as the boot aggregate value, which is the measurement result of RIM. 3. Extend the IMA measure log hash into slot1 (REM0). Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 | |
ima: Avoid blocking in RCU read-side critical section stable inclusion from stable-v5.10.222 commit a6176a802c4bfb83bf7524591aa75f44a639a853 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9HXKB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a6176a802c4bfb83bf7524591aa75f44a639a853 -------------------------------- commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream. A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable@vger.kernel.org Signed-off-by: GUO Zihua <guozihua@huawei.com> Acked-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5@huawei.com> | 1 年前 | |
IMA: use real_inode to get the i_version hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICDKL2 -------------------------------- overlayfs has two types of inode, the overlayfs inode generated by overlayfs and the real inode of the file. When IMA does the measurement, process_measurement() will try to detect file content changes for files on a overlayfs filesystem based on the i_version number of the real inode. But now comparing with value of overlayfs inode, results in always re-evaluating the file's integrity. Therefore, ima_collect_measurement() should update iint->iversion with real_inode iversion. Also, ima_check_last_writer() should compare i_version base on real_inode. This patch is based on the implementation of upstream patch (see below Link tag). Due to merging the pre-patch to resolve conflicts introduces KABI changes, we don't fix this with the mainline version. Link: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 Fixes: b836c4d29f27 ("ima: detect changes to the backing overlay file") Signed-off-by: Gu Bowen <gubowen5@huawei.com> | 1 年前 | |
ima: Add macros to isolate the IMA digest list euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7YT6U -------------------------------- Isolate the IMA digest list code by using macros. changelog v2: Exclude some macros for code that has already been merged into upstream kernel v3: add patch header and fix some simple code warnings v4: merge some duplicate code and add macro comments v5: format the code and update the issue number v6: merge duplicate code instead of isolating the entire function Signed-off-by: Zhou Shuiqing <zhoushuiqing2@huawei.com> | 2 年前 | |
Revert "ima: Add ima namespace to the ima subsystem APIs" hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit c2b095cc0f1447fbbeade7ba09c6e9e9ee75fca4. Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> | 4 年前 | |
ima: Fix potential memory leak in ima_init_crypto() stable inclusion from stable-v5.10.132 commit c1d9702ceb4a091da6bee380627596d1fba09274 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YS3T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c1d9702ceb4a091da6bee380627596d1fba09274 -------------------------------- [ Upstream commit 067d2521874135267e681c19d42761c601d503d6 ] On failure to allocate the SHA1 tfm, IMA fails to initialize and exits without freeing the ima_algo_array. Add the missing kfree() for ima_algo_array to avoid the potential memory leak. Signed-off-by: Jianglei Nie <niejianglei2021@163.com> Fixes: 6d94809af6b0 ("ima: Allocate and initialize tfm for each PCR bank") Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: Xie XiuQi <xiexiuqi@huawei.com> | 3 年前 | |
ima: Fix violation digests extending issue in cvm EulerOS inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA71XS ------------------------------ Add the special process of IMA violation digests, the digest with all of 0xff is extended. Fixes: b1410546d39f ("IMA: Support the measurement extending of TSI TMM") Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 1 年前 | |
IMA: Support the measurement extending of TSI TMM EulerOS inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 -------------------------------- This patch support the RoT (Root of Trust) implemented by TSI TMM, which is used in virtCCA CVM feature. This patch includes the three parts: 1. Use a bool flag to determine whether the CVM is enabled. If enabled, bypass TPM. 2. Read the value of slot 0 (RIM) as the boot aggregate value, which is the measurement result of RIM. 3. Extend the IMA measure log hash into slot1 (REM0). Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 | |
IMA: Fix hungtask issue of digestlist importing EulerOS inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB6364 -------------------------------- In the function ima_check_measured_appraised, if the digest list is not measured or appraised, the function returns without releasing the lock iint->mutex. Fixes: 7d79ba086bd6 ("ima: dont disable digest_list if the file is not processed") Signed-off-by: xuce <xuce10@h-partners.com> | 1 年前 | |
ima: dont disable digest_list if the file is not processed EulerOS inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/IAIO9Q ------------------------------ In the previous implementation, if the digest list file is not measured or appraised, the whole IMA digest list function will be disabled, and the system must be rebooted. It is too strict because users may make some mistakes. This commit optimizes the processing logic. If the digest list file is not processed correctly, just deny access to the file without disabling the entire function. Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 1 年前 | |
ima: dont disable digest_list if the file is not processed EulerOS inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/IAIO9Q ------------------------------ In the previous implementation, if the digest list file is not measured or appraised, the whole IMA digest list function will be disabled, and the system must be rebooted. It is too strict because users may make some mistakes. This commit optimizes the processing logic. If the digest list file is not processed correctly, just deny access to the file without disabling the entire function. Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 1 年前 | |
IMA: Support the measurement extending of TSI TMM EulerOS inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 -------------------------------- This patch support the RoT (Root of Trust) implemented by TSI TMM, which is used in virtCCA CVM feature. This patch includes the three parts: 1. Use a bool flag to determine whether the CVM is enabled. If enabled, bypass TPM. 2. Read the value of slot 0 (RIM) as the boot aggregate value, which is the measurement result of RIM. 3. Extend the IMA measure log hash into slot1 (REM0). Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 | |
ima: Fix warning: no previous prototype for function 'ima_add_kexec_buffer' mainline inclusion from mainline-5.14 commit: c67913492fec317bc53ffdff496b6ba856d2868c category: bugfix bugzilla: 182971 https://gitee.com/openeuler/kernel/issues/I4DDEL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c67913492fec317bc53ffdff496b6ba856d2868c --------------------------- The function prototype for ima_add_kexec_buffer() is present in 'linux/ima.h'. But this header file is not included in ima_kexec.c where the function is implemented. This results in the following compiler warning when "-Wmissing-prototypes" flag is turned on: security/integrity/ima/ima_kexec.c:81:6: warning: no previous prototype for function 'ima_add_kexec_buffer' [-Wmissing-prototypes] Include the header file 'linux/ima.h' in ima_kexec.c to fix the compiler warning. Fixes: dce92f6b11c3 (arm64: Enable passing IMA log to next kernel on kexec) Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Acked-by: Rob Herring <robh@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Guo Zihua <guozihua@huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Chen Jun <chenjun102@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> | 4 年前 | |
IMA: use real_inode to get the i_version hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICDKL2 -------------------------------- overlayfs has two types of inode, the overlayfs inode generated by overlayfs and the real inode of the file. When IMA does the measurement, process_measurement() will try to detect file content changes for files on a overlayfs filesystem based on the i_version number of the real inode. But now comparing with value of overlayfs inode, results in always re-evaluating the file's integrity. Therefore, ima_collect_measurement() should update iint->iversion with real_inode iversion. Also, ima_check_last_writer() should compare i_version base on real_inode. This patch is based on the implementation of upstream patch (see below Link tag). Due to merging the pre-patch to resolve conflicts introduces KABI changes, we don't fix this with the mainline version. Link: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 Fixes: b836c4d29f27 ("ima: detect changes to the backing overlay file") Signed-off-by: Gu Bowen <gubowen5@huawei.com> | 1 年前 | |
ima: Fix build warnings stable inclusion from stable-v5.10.188 commit 628709a05708918d17beddc9440b2d64320929c0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KYFP Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=628709a05708918d17beddc9440b2d64320929c0 -------------------------------- [ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] Fix build warnings (function parameters description) for ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: sanglipeng <sanglipeng1@jd.com> | 2 年前 | |
IMA: remove -Wmissing-prototypes warning stable inclusion from stable-5.10.65 commit 5cc1ee31353bd45e236c8679ebb561a5ee65fc5c bugzilla: 182361 https://gitee.com/openeuler/kernel/issues/I4EH3U Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5cc1ee31353bd45e236c8679ebb561a5ee65fc5c -------------------------------- commit a32ad90426a9c8eb3915eed26e08ce133bd9e0da upstream. With W=1 build, the compiler throws warning message as below: security/integrity/ima/ima_mok.c:24:12: warning: no previous prototype for ‘ima_mok_init’ [-Wmissing-prototypes] __init int ima_mok_init(void) Silence the warning by adding static keyword to ima_mok_init(). Signed-off-by: Austin Kim <austin.kim@lge.com> Fixes: 41c89b64d718 ("IMA: create machine owner and blacklist keyrings") Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Chen Jun <chenjun102@huawei.com> Acked-by: Weilong Chen <chenweilong@huawei.com> Signed-off-by: Chen Jun <chenjun102@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> | 4 年前 | |
ima: Handle error code returned by ima_filter_rule_match() mainline inclusion from mainline-v6.19-rc1 commit 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/7810 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=738c9738e690f5cea24a3ad6fd2d9a323cf614f6 -------------------------------- In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. Fixes: 4af4662fa4a9d ("integrity: IMA policy") Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com> | 6 个月前 | |
IMA: Support the measurement extending of TSI TMM EulerOS inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 -------------------------------- This patch support the RoT (Root of Trust) implemented by TSI TMM, which is used in virtCCA CVM feature. This patch includes the three parts: 1. Use a bool flag to determine whether the CVM is enabled. If enabled, bypass TPM. 2. Read the value of slot 0 (RIM) as the boot aggregate value, which is the measurement result of RIM. 3. Extend the IMA measure log hash into slot1 (REM0). Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 | |
Revert "ima: Add ima namespace to the ima subsystem APIs" hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4O25G CVE: NA -------------------------------- This reverts commit c2b095cc0f1447fbbeade7ba09c6e9e9ee75fca4. Signed-off-by: Zhang Tianxing <zhangtianxing3@huawei.com> Acked-by: Xie XiuQi <xiexiuqi@huawei.com> Acked-by: Xiu Jianfeng<xiujianfeng@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> | 4 年前 | |
ima: Define new template fields iuid and igid stable inclusion from stable-v6.9.3 commit 7dcfeacc5a9d0c130160b86de23279793a8732c8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7dcfeacc5a9d0c130160b86de23279793a8732c8 -------------------------------- [ Upstream commit 7dcfeacc5a9d0c130160b86de23279793a8732c8 ] This patch defines the new template fields iuid and igid, which include respectively the inode UID and GID. For idmapped mounts, still the original UID and GID are provided. These fields can be used to verify the EVM portable signature, if it was included with the template fields sig or evmsig. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 | |
ima: Fix use-after-free on a dentry's dname.name mainline inclusion from mainline-v6.10-rc1 commit be84f32bb2c981ca670922e047cdde1488b233de category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0O1 CVE: CVE-2024-39494 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be84f32bb2c981ca670922e047cdde1488b233de -------------------------------- ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. Link: https://lore.kernel.org/all/20240202182732.GE2087318@ZenIV/ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Conflicts: security/integrity/ima/ima_api.c [Just context conflicts.] Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> | 1 年前 | |
ima: Define new template fields iuid and igid stable inclusion from stable-v6.9.3 commit 7dcfeacc5a9d0c130160b86de23279793a8732c8 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9RJ09 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7dcfeacc5a9d0c130160b86de23279793a8732c8 -------------------------------- [ Upstream commit 7dcfeacc5a9d0c130160b86de23279793a8732c8 ] This patch defines the new template fields iuid and igid, which include respectively the inode UID and GID. For idmapped mounts, still the original UID and GID are provided. These fields can be used to verify the EVM portable signature, if it was included with the template fields sig or evmsig. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> | 2 年前 |
| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
| 1 年前 | ||
| 2 年前 | ||
| 1 年前 | ||
| 1 年前 | ||
| 2 年前 | ||
| 4 年前 | ||
| 3 年前 | ||
| 1 年前 | ||
| 2 年前 | ||
| 1 年前 | ||
| 1 年前 | ||
| 1 年前 | ||
| 2 年前 | ||
| 4 年前 | ||
| 1 年前 | ||
| 2 年前 | ||
| 4 年前 | ||
| 6 个月前 | ||
| 2 年前 | ||
| 4 年前 | ||
| 2 年前 | ||
| 1 年前 | ||
| 2 年前 |