[RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook

Mimi Zohar zohar at linux.vnet.ibm.com
Thu Dec 7 15:08:40 UTC 2017


On Thu, 2017-12-07 at 09:50 -0500, Jeff Layton wrote:
> On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> > Hi Jeff,
> > 
> > [The IMA/EVM and the TPM mailing lists have been combined as a single
> > linux-integrity mailing list.]
> > 
> > On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > > Sorry for the late review. I just started dusting off my i_version
> > > rework, and noticed that IMA still has unaddressed problems here.
> > 
> > <snip>
> > 
> > > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > > and doesn't really seem to address the stated problem well.
> > 
> > A cleaned up version of this patch set was meant to follow the
> > introduction of a new integrity_read method, but that patch set was
> > rejected.  At this point, I have no intentions of upstreaming a
> > cleaned up version this patch set either.
> > 
> > > The warning itself seems ok, but I don't really see what's wrong with
> > > performing remeasurement when the mtime changes on filesystems that
> > > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > > initial measurement?
> > > 
> > > Maybe I just don't understand what you're really trying to achieve here.
> > 
> > Based on discussions with Sascha Hauer, he convinced me the i_version
> > test is basically just a performance improvement and posted a patch
> > that checks the filesystem for i_version support, before relying on it
> > -  https://www.spinics.net/lists/linux-integrity/msg00033.html.
> > 
> > Mimi
> > 
> 
> Thanks for the link. That patch looks good to me. Any idea when and if
> it will be merged?

Is that an Ack?  Barring any testing issues, I'll upstream it with
yours in the next open window.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list