[RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
jlayton at redhat.com
Thu Dec 7 14:50:16 UTC 2017
On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> Hi Jeff,
> [The IMA/EVM and the TPM mailing lists have been combined as a single
> linux-integrity mailing list.]
> On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > Sorry for the late review. I just started dusting off my i_version
> > rework, and noticed that IMA still has unaddressed problems here.
> > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > and doesn't really seem to address the stated problem well.
> A cleaned up version of this patch set was meant to follow the
> introduction of a new integrity_read method, but that patch set was
> rejected. At this point, I have no intentions of upstreaming a
> cleaned up version this patch set either.
> > The warning itself seems ok, but I don't really see what's wrong with
> > performing remeasurement when the mtime changes on filesystems that
> > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > initial measurement?
> > Maybe I just don't understand what you're really trying to achieve here.
> Based on discussions with Sascha Hauer, he convinced me the i_version
> test is basically just a performance improvement and posted a patch
> that checks the filesystem for i_version support, before relying on it
> - https://www.spinics.net/lists/linux-integrity/msg00033.html.
Thanks for the link. That patch looks good to me. Any idea when and if
it will be merged?
Jeff Layton <jlayton at redhat.com>
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive