[PATCH v2 10/10] ima: use existing read file operation method to calculate file hash

Christoph Hellwig hch at lst.de
Wed Jul 5 17:18:57 UTC 2017


On Wed, Jul 05, 2017 at 06:02:15PM +0100, Matthew Garrett wrote:
> On Wed, Jul 05, 2017 at 10:50:09AM -0400, Mimi Zohar wrote:
> > [Cc'ing linux-ima-users]
> > 
> > On Wed, 2017-06-28 at 16:41 +0200, Christoph Hellwig wrote:
> > > NAK - we'll need an explicit method for the integrity code.
> > > 
> > > And just curious - what filesystem that you care about actually
> > > implements ->read instead of ->read_iter?  We shouldn't be doing that
> > > for real file systems anymore.
> > 
> > Right, pseudo filesystems are using ->read. The existing builtin
> > measurement policies exclude a number of pseudo filesystems, but not
> > efivarfs.  Unfortunately, we do not know what type of custom policies
> > are currently being used.
> 
> efi variables contain information that may influence userspace behaviour 
> and can also be modified out of band, so I think there's a reasonable 
> argument that they should be measured.

Then efivars should grow a ->integrity_read method.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list