From levonshe at yandex.com Mon Feb 4 10:38:19 2019 From: levonshe at yandex.com (Lev Olshvang) Date: Mon, 04 Feb 2019 11:38:19 +0300 Subject: SELinux, LSM and ima_policy rules Message-ID: <25111041549269499@myt6-67cd1de25d8a.qloud-c.yandex.net> Hello everybody. I learned recently that IMA kernel security subsystem can be integrated with LSMs, such as SELinux, Smack, ... https://sourceforge.net/p/linux-ima/wiki/Home/ https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy It was present in kernel since v3.8 but not google does not know much about the usability. Does anybody have any experience or references which I can read to learn restrictions, performance impact or just use cases? ThanX! Lev. From levonshe at yandex.com Tue Feb 19 15:33:16 2019 From: levonshe at yandex.com (Lev Olshvang) Date: Tue, 19 Feb 2019 16:33:16 +0300 Subject: writes to /dev/kmsg Message-ID: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> An HTML attachment was scrubbed... URL: From const at makelinux.co.il Tue Feb 19 18:42:25 2019 From: const at makelinux.co.il (Constantine Shulyupin) Date: Tue, 19 Feb 2019 18:42:25 +0200 Subject: writes to /dev/kmsg In-Reply-To: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> References: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> Message-ID: I write to /dev/kmsg when it is need to synchronize UM and driver's logs. On Tue, Feb 19, 2019 at 3:34 PM Lev Olshvang wrote: > Kernel documentation describes interface > https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg > > I wonder what kind of applications use it? > Why somebody need to use kmsg instead of syslog? > > Can anybody give example of such application? > > Regards, > Lev > > > _______________________________________________ > Linux-il mailing list > Linux-il at cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > -- Constantine Shulyupin http://www.MakeLinux.co.il/ Embedded Linux Systems Tel Aviv -------------- next part -------------- An HTML attachment was scrubbed... URL: From levonshe at yandex.com Wed Feb 20 11:22:54 2019 From: levonshe at yandex.com (Lev Olshvang) Date: Wed, 20 Feb 2019 12:22:54 +0300 Subject: writes to /dev/kmsg In-Reply-To: References: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> Message-ID: <15774361550654574@sas2-9bd6ba081e5d.qloud-c.yandex.net> An HTML attachment was scrubbed... URL: From const at makelinux.co.il Wed Feb 20 11:43:40 2019 From: const at makelinux.co.il (Constantine Shulyupin) Date: Wed, 20 Feb 2019 11:43:40 +0200 Subject: writes to /dev/kmsg In-Reply-To: <15774361550654574@sas2-9bd6ba081e5d.qloud-c.yandex.net> References: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> <15774361550654574@sas2-9bd6ba081e5d.qloud-c.yandex.net> Message-ID: stderr = fopen("/dev/kmsg", "w+"); fprintf(stderr, "%s:%i %s ", __FILE__, __LINE__, __func__); Call a driver. In the driver: #undef pr_fmt #define pr_fmt(fmt) "%s.c:%d %s " fmt, KBUILD_MODNAME, __LINE__, __func__ pr_debug("..."); or printk("%s:%i %s ", __FILE__, __LINE__, __func__); then from UM: fprintf(stderr, "%s:%i %s ", __FILE__, __LINE__, __func__); Thanks On Wed, Feb 20, 2019 at 11:23 AM Lev Olshvang wrote: > Can you please elaborate, what you are trying to synchronize, I suppose > messages from your driver are uniquely identified? > > > 19.02.2019, 19:42, "Constantine Shulyupin" : > > I write to /dev/kmsg when it is need to synchronize UM and driver's logs. > > On Tue, Feb 19, 2019 at 3:34 PM Lev Olshvang wrote: > > Kernel documentation describes interface > https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg > > I wonder what kind of applications use it? > Why somebody need to use kmsg instead of syslog? > > Can anybody give example of such application? > > Regards, > Lev > > > _______________________________________________ > Linux-il mailing list > Linux-il at cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > -- > Constantine Shulyupin > http://www.MakeLinux.co.il/ > Embedded Linux Systems > Tel Aviv > > -- Constantine Shulyupin http://www.MakeLinux.co.il/ Embedded Linux Systems Tel Aviv -------------- next part -------------- An HTML attachment was scrubbed... URL: From levonshe at yandex.com Wed Feb 20 13:01:32 2019 From: levonshe at yandex.com (Lev Olshvang) Date: Wed, 20 Feb 2019 14:01:32 +0300 Subject: which tools exist for configuring SELinux /AppArmor in development cycle automatically iterations? ? Message-ID: <10628551550660492@myt1-4903e6646a45.qloud-c.yandex.net> An HTML attachment was scrubbed... URL: From pub at goldshmidt.org Thu Feb 21 13:14:52 2019 From: pub at goldshmidt.org (Oleg Goldshmidt) Date: Thu, 21 Feb 2019 13:14:52 +0200 Subject: writes to /dev/kmsg In-Reply-To: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> References: <2722241550583196@iva1-16f33c6a446b.qloud-c.yandex.net> Message-ID: On Tue, Feb 19, 2019 at 3:34 PM Lev Olshvang wrote: > Kernel documentation describes interface > https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg > The 4th line of this document, "Kay Sievers " tells me a lot about the kind of application that uses it. I suggest reading up on it in https://bugs.freedesktop.org/show_bug.cgi?id=76935 and maybe also in this thread: http://lkml.iu.edu/hypermail/linux/kernel/1404.0/01331.html I wonder what kind of applications use it? > Why somebody need to use kmsg instead of syslog? > PID #1 before filesystems have been mounted and before any other facility is made available - see above. -- Oleg Goldshmidt | pub at goldshmidt.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From govershay at gmail.com Fri Feb 22 01:38:03 2019 From: govershay at gmail.com (Shay Gover) Date: Fri, 22 Feb 2019 01:38:03 +0200 Subject: =?UTF-8?B?15fXkdeoINee15fXpNepINeQ15nXqSDXnNeZ16DXlden16Eg15zXmdeo15XXqdec15nXnQ==?= Message-ID: ???? ?????, ??? ???? ??? ?????? ????? ????????. ??? ?? ???? ????? ???. ???? ?????? ??????? ????? ?????. ?? ???? ???? ?????. ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From levonshe at yandex.com Sun Feb 24 10:06:11 2019 From: levonshe at yandex.com (Lev Olshvang) Date: Sun, 24 Feb 2019 11:06:11 +0300 Subject: Whicl linux technology existd to protect file's data at run at file granularity? Message-ID: <12775891550995571@sas2-0106f63be698.qloud-c.yandex.net> An HTML attachment was scrubbed... URL: From elazarl at gmail.com Sun Feb 24 11:34:10 2019 From: elazarl at gmail.com (Elazar Leibovich) Date: Sun, 24 Feb 2019 11:34:10 +0200 Subject: Whicl linux technology existd to protect file's data at run at file granularity? In-Reply-To: <12775891550995571@sas2-0106f63be698.qloud-c.yandex.net> References: <12775891550995571@sas2-0106f63be698.qloud-c.yandex.net> Message-ID: Sounds like you want IMA+EVM, specifically IMA-appraisal. I've no experience with that in practice. https://sourceforge.net/p/linux-ima/wiki/Home/#ima-appraisal https://events.linuxfoundation.org/wp-content/uploads/2017/12/LSS2018-EU-LinuxIntegrityOverview_Mimi-Zohar.pdf As I mentioned before, judging from your previous question, *I think what you really need is a paid professional Linux security consultancy.* Asking security questions in a mailing list, and worse, getting answers from none-professionals like myself is not a good path to reach a secure system IMHO. By all means, you're invited to mail me in private/give me a call. While I personally cannot help you I can refer you to people who does that for living. Disclosure, I've no connection to security consultunts other than working with some excellent ones, to which I can refer and they'll probably find you a good place to get your system secure. Remember, even world class security teams, like the ones who designed the X-Boxes missed some details and ended up with vulnerable system. If indeed a secure Linux is a priority, industry knows how to do that to some extent, but IMHO you need paid professional consultant, not general question in a public mailing list. In my view, what you're doing is akin to asking a public forum how to design a brakes system without any context. This is unlikely to end up well. I don't feel it's responsible from my side to just provide my limited knowledge without mentioning the problems with the general approach. On Sun, Feb 24, 2019 at 10:07 AM Lev Olshvang wrote: > > I know at least several technologies that protect "data at rest" , such > as dm-crypt, tomb, eCryptfs. > > The problem with dm-crypt or eCrypts that since file system is mounted, > all logged users, including attackers can read files. > > But I did not find anything that protects data at run, i.e decrypts only > file read request using user key. > > Please advise, > Lev > _______________________________________________ > Linux-il mailing list > Linux-il at cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > -------------- next part -------------- An HTML attachment was scrubbed... URL: