[PATCH v1 - RFC] ima: export the measurement list when needed

Janne Karhunen janne.karhunen at gmail.com
Wed Jan 1 06:49:27 UTC 2020


On Tue, Dec 24, 2019 at 5:35 PM <david.safford at gmail.com> wrote:

> > That is a good question. I went this way as it did not feel right to
> > me that the kernel would depend on periodic, reliable userspace
> > functionality to stay running (we would have a circular dependency).
> > The thing is, once the kernel starts to run low on memory, it may
> > kill
> > that periodic daemon flushing the data for reasons unrelated to IMA.
> >
>
> I'm happy with either way (kernel writing, or userspace reading) the
> data, but with the v1 patch, there is no way for userspace to force
> that the list be flushed - it only flushes on full. I think it is
> important for userspace to be able to trigger a flush, such as just
> prior to a kexec, or prior to an attestation.

Indeed, will add in v2.


> Perhaps you could simply remove the length test in ima_export_list(),
> and export anytime the filename is provided? This could simplify
> attestation clients, which could ask for different files each time
> (list.1, list.2...), for automatic log maintenance. Since the template
> format does not have sequence numbers, this would also help keep
> track which records have already been seen.

Yes, will do something like this. Holidays cause some latency here,
but I will send an update next week.


--
Janne



More information about the Linux-security-module-archive mailing list