[Linux-ima-devel] [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
James Morris
jmorris at namei.org
Thu Aug 17 02:39:00 UTC 2017
On Wed, 16 Aug 2017, Mimi Zohar wrote:
> In this context, I'm not sure what you mean by "loaded". IMA needs to
> be enabled from the very beginning to capture all measurements and
> verify the integrity of files, without any gaps. At some point this
> would include other LSM policies.
I think it's better to keep IMA orthogonal to LSM for this reason.
The original motivation to implement IMA as a separate API was because LSM
was at the time considered specific to access control mechanisms, although
that is not the case now.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list