[PATCH v6 8/8] selinux: measure state and hash of the policy using IMA

Mimi Zohar zohar at linux.ibm.com
Fri Nov 20 15:49:20 UTC 2020


Hi Tushar, Lakshmi,

On Thu, 2020-11-19 at 15:26 -0800, Tushar Sugandhi wrote:
> From: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
> 
> IMA measures files and buffer data such as keys, command line arguments
> passed to the kernel on kexec system call, etc. While these measurements
> enable monitoring and validating the integrity of the system, it is not
> sufficient. 

The above paragraph would make a good cover letter introduction.

> In-memory data structures maintained by various kernel
> components store the current state and policies configured for
> the components. 

Various data structures, policies and state stored in kernel memory
also impact the  integrity of the system.

The 2nd paragraph could provide examples of such integrity critical
data.

This patch set introduces a new IMA hook named
ima_measure_critical_data() to measure kernel integrity critical data.

thanks,

Mimi



More information about the Linux-security-module-archive mailing list