[PATCH v10 5/8] IMA: limit critical data measurement based on a label
Mimi Zohar
zohar at linux.ibm.com
Thu Jan 14 02:09:23 UTC 2021
On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote:
> Integrity critical data may belong to a single subsystem or it may
> arise from cross subsystem interaction. Currently there is no mechanism
> to group or limit the data based on certain label. Limiting and
> grouping critical data based on a label would make it flexible and
> configurable to measure.
>
> Define "label:=", a new IMA policy condition, for the IMA func
> CRITICAL_DATA to allow grouping and limiting measurement of integrity
> critical data.
>
> Limit the measurement to the labels that are specified in the IMA
> policy - CRITICAL_DATA+"label:=". If "label:=" is not provided with
> the func CRITICAL_DATA, measure all the input integrity critical data.
>
> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
> Reviewed-by: Tyler Hicks <tyhicks at linux.microsoft.com>
This is looking a lot better.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list