[PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status
James Bottomley
James.Bottomley at HansenPartnership.com
Tue Jun 4 08:57:17 UTC 2019
On Mon, 2019-06-03 at 16:44 +0200, Roberto Sassu wrote:
> On 6/3/2019 4:31 PM, James Bottomley wrote:
> > On Mon, 2019-06-03 at 16:29 +0200, Roberto Sassu wrote:
[...]
> > > How would you prevent root in the container from updating
> > > security.ima?
> >
> > We don't. We only guarantee immutability for unprivileged
> > containers, so root can't be inside.
>
> Ok.
>
> Regarding the new behavior, this must be explicitly enabled by adding
> ima_appraise=enforce-evm or log-evm to the kernel command line.
> Otherwise, the current behavior is preserved with this patch. Would
> this be ok?
Sure, as long as it's an opt-in flag, meaning the behaviour of my
kernels on physical cloud systems doesn't change as I upgrade them, I'm
fine with that.
James
More information about the Linux-security-module-archive
mailing list