[Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support
Mimi Zohar
zohar at linux.vnet.ibm.com
Mon Jul 31 11:31:58 UTC 2017
On Fri, 2017-07-28 at 14:19 +0000, Magalhaes, Guilherme (Brazil R&D-
CL) wrote:
> > > Each measurement entry in the list could have new fields to identify
> > > the namespace. Since the namespaces can be reused, a timestamp or
> > > others fields could be added to uniquely identify the namespace id.
> >
> > The more fields included in the measurement list, the more
> > measurements will be added to the measurement list. Wouldn't it be
> > enough to know that a certain file has been accessed/executed on the
> > system and base any analytics/forensics on the IMA-audit data.
>
> With the recursive application of policy through the namespace hierarchy,
> a measurement added to the parent namespace could be misleading since
> the file pathname makes sense in the current namespace but possibly not
> for the parent namespace.
Fair enough.
> This is the reason why I believe some new field
> might be needed in the IMA template format to indicate or uniquely
> identify the namespace.
I would probably include information to uniquely identify the file
(eg. UUID, mountpoint), not the namespace.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list