[PATCH v5 4/7] IMA: add policy to measure critical data
Mimi Zohar
zohar at linux.ibm.com
Fri Nov 6 13:43:01 UTC 2020
Hi Tushar,
On Sun, 2020-11-01 at 14:26 -0800, Tushar Sugandhi wrote:
> System administrators should be able to choose which kernel subsystems
> they want to measure the critical data for. To enable that, an IMA policy
> option to choose specific kernel subsystems is needed. This policy option
> would constrain the measurement of the critical data to the given kernel
> subsystems.
Measuring critical data should not be dependent on the source of the
critical data. This patch needs to be split up. The "data sources"
should be move to it's own separate patch. This patch should be
limited to adding the policy code needed for measuring criticial data.
Limiting critical data sources should be the last patch in this series.
thanks,
Mimi
>
> Add a new IMA policy option - "data_sources:=" to the IMA func
> CRITICAL_DATA to allow measurement of various kernel subsystems. This
> policy option would enable the system administrators to limit the
> measurement to the subsystems listed in "data_sources:=", if the
> subsystem measures its data by calling ima_measure_critical_data().
>
> Limit the measurement to the subsystems that are specified in the IMA
> policy - CRITICAL_DATA+"data_sources:=". If "data_sources:=" is not
> provided with the func CRITICAL_DATA, measure the data from all the
> supported kernel subsystems.
>
> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
More information about the Linux-security-module-archive
mailing list