[PATCH v2] ima: export the measurement list when needed
Janne Karhunen
janne.karhunen at gmail.com
Mon Jan 27 09:03:03 UTC 2020
On Sun, Jan 26, 2020 at 7:01 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > > I don't think it is common, and probably not acceptable, for the
> > > kernel to open a file for writing.
> >
> > Ok. It just means that the kernel cannot do its own memory management
> > and will depend on the user flushing the memory often enough to
> > prevent something bad from happening. Is this more common in the
> > kernel than writing out a file?
>
> Ok, there are examples of both passing a file descriptor and passing a
> pathname from userspace, but even in the case of passing a pathname,
> userspace normally creates the file.
Sorry, I was slow to get your proposal. I'll try to see how that would
look like.
> There's been discussion in the past of defining an integrity
> capability. Are we at that point where we really do need to define an
> integrity capability or is everyone comfortable with relying on
> CAP_SYS_ADMIN?
Every time something like this is being proposed there is a lot of
shouting from people that they want their root user (renamed as
CAP_SYS_ADMIN) back. I'd be happy with such bit and several others,
too.
> When implementing this feature of exporting and truncating the
> measurement list, please keep in mind how this would work in the
> context of IMA namespaces.
That could be rough. I'll try to think about it.
--
Janne
More information about the Linux-security-module-archive
mailing list