[PATCH v6 8/8] selinux: measure state and hash of the policy using IMA
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Fri Nov 20 23:40:11 UTC 2020
On 11/20/20 7:49 AM, Mimi Zohar wrote:
Hi Mimi,
>
> On Thu, 2020-11-19 at 15:26 -0800, Tushar Sugandhi wrote:
>> From: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
>>
>> IMA measures files and buffer data such as keys, command line arguments
>> passed to the kernel on kexec system call, etc. While these measurements
>> enable monitoring and validating the integrity of the system, it is not
>> sufficient.
>
> The above paragraph would make a good cover letter introduction.
Agreed - will add this paragraph to the cover letter as well.
>
>> In-memory data structures maintained by various kernel
>> components store the current state and policies configured for
>> the components.
>
> Various data structures, policies and state stored in kernel memory
> also impact the integrity of the system.
Will update.
>
> The 2nd paragraph could provide examples of such integrity critical
> data.
Will do.
>
> This patch set introduces a new IMA hook named
> ima_measure_critical_data() to measure kernel integrity critical data.
>
*Question*
I am not clear about this one - do you mean add the following line in
the patch description for the selinux patch?
"This patch introduces the first use of the new IMA hook namely
ima_measures_critical_data() to measure the integrity critical data for
SELinux"
thanks,
-lakshmi
More information about the Linux-security-module-archive
mailing list