)]}' { "log": [ { "commit": "9bbb6cad0173e6220f3ac609e26beb48dab3b7cd", "tree": "680e0de3071c938ca9858fa9ed5bd5ca8ff2f20f", "parents": [ "54bb6552bd9405dc7685653157a4ec260c77a71c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 26 17:02:40 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:22 2010 -0500" }, "message": "ima: rename ima_path_check to ima_file_check\n\nima_path_check actually deals with files! call it ima_file_check instead.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "8eb988c70e7709b7bd1a69f0ec53d19ac20dea84", "tree": "6d0283a9fbca5cc104f591b9cc628edf39bc0b05", "parents": [ "1e41568d7378d1ba8c64ba137b9ddd00b59f893a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jan 20 15:35:41 2010 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Feb 07 03:06:22 2010 -0500" }, "message": "fix ima breakage\n\nThe \"Untangling ima mess, part 2 with counters\" patch messed\nup the counters. Based on conversations with Al Viro, this patch\nstreamlines ima_path_check() by removing the counter maintaince.\nThe counters are now updated independently, from measuring the file,\nin __dentry_open() and alloc_file() by calling ima_counts_get().\nima_path_check() is called from nfsd and do_filp_open().\nIt also did not measure all files that should have been measured.\nReason: ima_path_check() got bogus value passed as mask.\n[AV: mea culpa]\n[AV: add missing nfsd bits]\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1429b3eca23818f87f9fa569a15d9816de81f698", "tree": "3100f009ec8863ee4692ee197b8e0c16c11258e6", "parents": [ "b65a9cfc2c38eebc33533280b8ad5841caee8b6e" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 06:38:01 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Dec 16 12:16:47 2009 -0500" }, "message": "Untangling ima mess, part 3: kill dead code in ima\n\nKill the \u0027update\u0027 argument of ima_path_check(), kill\ndead code in ima.\n\nCurrent rules: ima counters are bumped at the same time\nwhen the file switches from put_filp() fodder to fput()\none. Which happens exactly in two places - alloc_file()\nand __dentry_open(). Nothing else needs to do that at\nall.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "94e5d714f604d4cb4cb13163f01ede278e69258b", "tree": "1f7f50f5eddf74e6930eaf0384538549f263b8fe", "parents": [ "79b854c549c62c54fa27f87e04465c01db889f8d" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Jun 26 14:05:27 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jun 29 08:59:10 2009 +1000" }, "message": "integrity: add ima_counts_put (updated)\n\nThis patch fixes an imbalance message as reported by J.R. Okajima.\nThe IMA file counters are incremented in ima_path_check. If the\nactual open fails, such as ETXTBSY, decrement the counters to\nprevent unnecessary imbalance messages.\n\nReported-by: J.R. Okajima \u003chooanon05@yahoo.co.jp\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b9fc745db833bbf74b4988493b8cd902a84c9415", "tree": "45a15174efb3b1c3dcbe5f0dc503e790c4f6fd70", "parents": [ "932995f0ce52525b32ff5127b522c2c164de3810" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 19 13:25:57 2009 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 22 09:43:41 2009 +1000" }, "message": "integrity: path_check update\n\n- Add support in ima_path_check() for integrity checking without\nincrementing the counts. (Required for nfsd.)\n- rename and export opencount_get to ima_counts_get\n- replace ima_shm_check calls with ima_counts_get\n- export ima_path_check\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ed850a52af971528b048812c4215cef298af0d3b", "tree": "e78fdb9e91e61dd297df2b126527340b483ae2a2", "parents": [ "cb5629b10d64a8006622ce3a52bc887d91057d69" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Feb 10 23:01:19 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Feb 11 15:27:15 2009 +1100" }, "message": "integrity: shmem zero fix\n\nBased on comments from Mike Frysinger and Randy Dunlap:\n(http://lkml.org/lkml/2009/2/9/262)\n- moved ima.h include before CONFIG_SHMEM test to fix compiler error\n on Blackfin:\nmm/shmem.c: In function \u0027shmem_zero_setup\u0027:\nmm/shmem.c:2670: error: implicit declaration of function \u0027ima_shm_check\u0027\n\n- added \u0027struct linux_binprm\u0027 in ima.h to fix compiler warning on Blackfin:\nIn file included from mm/shmem.c:32:\ninclude/linux/ima.h:25: warning: \u0027struct linux_binprm\u0027 declared inside\nparameter list\ninclude/linux/ima.h:25: warning: its scope is only this definition or\ndeclaration, which is probably not what you want\n\n- moved fs.h include within _LINUX_IMA_H definition\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Mike Frysinger \u003cvapier@gentoo.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1df9f0a73178718969ae47d813b8e7aab2cf073c", "tree": "6bd3d8838858f0e93acd8f7969b7d0e5ce2bfb08", "parents": [ "f4bd857bc8ed997c25ec06b56ef8064aafa6d4f3" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:07:02 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:33 2009 +1100" }, "message": "Integrity: IMA file free imbalance\n\nThe number of calls to ima_path_check()/ima_file_free()\nshould be balanced. An extra call to fput(), indicates\nthe file could have been accessed without first being\nmeasured.\n\nAlthough f_count is incremented/decremented in places other\nthan fget/fput, like fget_light/fput_light and get_file, the\ncurrent task must already hold a file refcnt. The call to\n__fput() is delayed until the refcnt becomes 0, resulting\nin ima_file_free() flagging any changes.\n\n- add hook to increment opencount for IPC shared memory(SYSV),\n shmat files, and /dev/zero\n- moved NULL iint test in opencount_get()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3323eec921efd815178a23107ab63588c605c0b2", "tree": "bc9e9714ac4881ebc515c1bd155674c52c356d6a", "parents": [ "6146f0d5e47ca4047ffded0fb79b6c25359b386c" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:06:58 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:30 2009 +1100" }, "message": "integrity: IMA as an integrity service provider\n\nIMA provides hardware (TPM) based measurement and attestation for\nfile measurements. As the Trusted Computing (TPM) model requires,\nIMA measures all files before they are accessed in any way (on the\nintegrity_bprm_check, integrity_path_check and integrity_file_mmap\nhooks), and commits the measurements to the TPM. Once added to the\nTPM, measurements can not be removed.\n\nIn addition, IMA maintains a list of these file measurements, which\ncan be used to validate the aggregate value stored in the TPM. The\nTPM can sign these measurements, and thus the system can prove, to\nitself and to a third party, the system\u0027s integrity in a way that\ncannot be circumvented by malicious or compromised software.\n\n- alloc ima_template_entry before calling ima_store_template()\n- log ima_add_boot_aggregate() failure\n- removed unused IMA_TEMPLATE_NAME_LEN\n- replaced hard coded string length with #define name\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6146f0d5e47ca4047ffded0fb79b6c25359b386c", "tree": "edd792e52ad56d4a5d3ac6caa8437d3283fc157e", "parents": [ "659aaf2bb5496a425ba14036b5b5900f593e4484" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 04 09:06:57 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Feb 06 09:05:30 2009 +1100" }, "message": "integrity: IMA hooks\n\nThis patch replaces the generic integrity hooks, for which IMA registered\nitself, with IMA integrity hooks in the appropriate places directly\nin the fs directory.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }