[PATCH v1 1/2] ima: fail signature verification on untrusted filesystems

Eric W. Biederman ebiederm at xmission.com
Wed Feb 21 22:53:27 UTC 2018

Mimi Zohar <zohar at linux.vnet.ibm.com> writes:

> On Mon, 2018-02-19 at 20:02 -0600, Eric W. Biederman wrote:
>> It would also be nice if I could provide all of this information at
>> mount time (when I am the global root) with mount options.  So I don't
>> need to update all of my tooling to know how to update ima policy when I
>> am mounting a filesystem.
> The latest version of this patch relies on a builtin IMA policy to set
> a flag.  No other changes are required to the IMA policy.  This
> builtin policy could be used for environments not willing to accept
> the default unverifiable signature risk.

I still remain puzzled by this.  Why is the default to accept the risk?


To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list