[PATCH v2 10/10] ima: use existing read file operation method to calculate file hash
Mimi Zohar
zohar at linux.vnet.ibm.com
Wed Jul 5 14:50:09 UTC 2017
[Cc'ing linux-ima-users]
On Wed, 2017-06-28 at 16:41 +0200, Christoph Hellwig wrote:
> NAK - we'll need an explicit method for the integrity code.
>
> And just curious - what filesystem that you care about actually
> implements ->read instead of ->read_iter? We shouldn't be doing that
> for real file systems anymore.
Right, pseudo filesystems are using ->read. The existing builtin
measurement policies exclude a number of pseudo filesystems, but not
efivarfs. Unfortunately, we do not know what type of custom policies
are currently being used.
The contents of the IMA measurement list are verified against a
reference manifest, provided at registration, or against a white list.
Not measuring files that were previously measured could break
userspace applications.
Let's wait to hear back from the larger IMA community as to whether
there is a need to measure files on pseudo filesystems, before
implementing an explicit method.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list