[RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Jeff Layton
jlayton at kernel.org
Fri Dec 15 21:13:29 UTC 2017
On Thu, 2017-12-07 at 10:09 -0500, Jeff Layton wrote:
> On Thu, 2017-12-07 at 10:08 -0500, Mimi Zohar wrote:
> > On Thu, 2017-12-07 at 09:50 -0500, Jeff Layton wrote:
> > > On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> > > > Hi Jeff,
> > > >
> > > > [The IMA/EVM and the TPM mailing lists have been combined as a single
> > > > linux-integrity mailing list.]
> > > >
> > > > On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > > > > Sorry for the late review. I just started dusting off my i_version
> > > > > rework, and noticed that IMA still has unaddressed problems here.
> > > >
> > > > <snip>
> > > >
> > > > > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > > > > and doesn't really seem to address the stated problem well.
> > > >
> > > > A cleaned up version of this patch set was meant to follow the
> > > > introduction of a new integrity_read method, but that patch set was
> > > > rejected. At this point, I have no intentions of upstreaming a
> > > > cleaned up version this patch set either.
> > > >
> > > > > The warning itself seems ok, but I don't really see what's wrong with
> > > > > performing remeasurement when the mtime changes on filesystems that
> > > > > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > > > > initial measurement?
> > > > >
> > > > > Maybe I just don't understand what you're really trying to achieve here.
> > > >
> > > > Based on discussions with Sascha Hauer, he convinced me the i_version
> > > > test is basically just a performance improvement and posted a patch
> > > > that checks the filesystem for i_version support, before relying on it
> > > > - https://www.spinics.net/lists/linux-integrity/msg00033.html.
> > > >
> > > > Mimi
> > > >
> > >
> > > Thanks for the link. That patch looks good to me. Any idea when and if
> > > it will be merged?
> >
> > Is that an Ack? Barring any testing issues, I'll upstream it with
> > yours in the next open window.
> >
> > Mimi
> >
>
> Sure, you can add:
>
> Reviewed-by: Jeff Layton <jlayton at redhat.com>
BTW, could you get this into linux-next sometime soon? I have a series
of patches to overhaul i_version handling that I want to go in soon and
there could be merge conflicts.
Thanks,
--
Jeff Layton <jlayton at kernel.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list