[PATCH v5 3/4] LSM: Define SELinux function to measure state and policy
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Tue Aug 4 15:57:02 UTC 2020
On 8/4/20 8:29 AM, Stephen Smalley wrote:
>>> Perhaps vmalloc would be better than using kmalloc? If there are
>>> better options for such large buffer allocation, please let me know.
>>
>> kvmalloc() can be used to select whichever one is most appropriate.
>
> Other option would be for ima to compute and save the hash(es) of the
> payload and not the payload itself for later use. I guess you won't
> know at that point which hash algorithm is desired?
>
I think IMA hash algorithm would be known at that point, but IMA policy
is not loaded yet (which is why I need to queue up the buffer and
process when policy is loaded).
I tried vmalloc and tested it with upto 16MB buffer (just made up a
SELinux policy buffer of size 16MB) - that works fine.
I will try kvmalloc().
Also, I fixed the issue with LSM data not measured when using the IMA
policy you had. Good catch.
Will post the updated patches today.
thanks,
-lakshmi
More information about the Linux-security-module-archive
mailing list