[PATCH v10 5/8] IMA: limit critical data measurement based on a label

Mimi Zohar zohar at linux.ibm.com
Thu Jan 14 02:09:23 UTC 2021

On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote:
> Integrity critical data may belong to a single subsystem or it may
> arise from cross subsystem interaction.  Currently there is no mechanism
> to group or limit the data based on certain label.  Limiting and
> grouping critical data based on a label would make it flexible and
> configurable to measure.
> Define "label:=", a new IMA policy condition, for the IMA func
> CRITICAL_DATA to allow grouping and limiting measurement of integrity
> critical data.
> Limit the measurement to the labels that are specified in the IMA
> policy - CRITICAL_DATA+"label:=".  If "label:=" is not provided with
> the func CRITICAL_DATA, measure all the input integrity critical data.
> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
> Reviewed-by: Tyler Hicks <tyhicks at linux.microsoft.com>

This is looking a lot better.



More information about the Linux-security-module-archive mailing list