Re: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device

From: Fan Wu
Date: Tue Jan 31 2023 - 18:01:06 EST

Next message: syzbot: "Re: [syzbot] [ntfs3?] BUG: unable to handle kernel NULL pointer dereference in ntfs_sparse_cluster"
Previous message: Mathieu Poirier: "Re: [PATCH v2] remoteproc: xilinx: add mailbox channels for rpmsg"
In reply to: Christoph Hellwig: "Re: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device"
Next in thread: Fan Wu: "[RFC PATCH v9 15/16] ipe: kunit test for parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 31, 2023 at 12:53:59AM -0800, Christoph Hellwig wrote:
> On Mon, Jan 30, 2023 at 02:57:24PM -0800, Fan Wu wrote:
> > From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
> >
> > block_device structures can have valuable security properties,
> > based on how they are created, and what subsystem manages them.
>
> That's a lot of cloudy talk but no real explanation.

Sorry for being too general here. Currently the only use target of this hook is dm-verity. We use the newly added security hook to save the dm-verity roothash and signature to the new bdev security blob during the bdev creation time, so LSMs can leverage this information to protect the system.

I will add this example in the next version.

-Fan

Next message: syzbot: "Re: [syzbot] [ntfs3?] BUG: unable to handle kernel NULL pointer dereference in ntfs_sparse_cluster"
Previous message: Mathieu Poirier: "Re: [PATCH v2] remoteproc: xilinx: add mailbox channels for rpmsg"
In reply to: Christoph Hellwig: "Re: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device"
Next in thread: Fan Wu: "[RFC PATCH v9 15/16] ipe: kunit test for parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]