[PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook

Lakshmi Ramasubramanian nramas at linux.microsoft.com
Thu Jan 14 17:48:35 UTC 2021


On 1/14/21 8:50 AM, Mimi Zohar wrote:
> On Thu, 2021-01-14 at 11:44 -0500, Mimi Zohar wrote:
>> [Cc'ing Sasha]
>>
>> Hi Lakshmi,
>>
>> On Thu, 2021-01-14 at 08:22 -0800, Lakshmi Ramasubramanian wrote:
>>> On 1/13/21 6:49 PM, Mimi Zohar wrote:
>>
>>>>>> Lakshmi is trying to address the situation where an event changes a
>>>>>> value, but then is restored to the original value.  The original and
>>>>>> subsequent events are measured, but restoring to the original value
>>>>>> isn't re-measured.  This isn't any different than when a file is
>>>>>> modified and then reverted.
>>>>>>
>>>>>> Instead of changing the name like this, which doesn't work for files,
>>>>>> allowing duplicate measurements should be generic, based on policy.
>>>>>
>>>>> Perhaps it is just the end of the day and I'm a bit tired, but I just
>>>>> read all of the above and I have no idea what your current thoughts
>>>>> are regarding this patch.
>>>>
>>>> Other than appending the timestamp, which is a hack, the patch is fine.
>>>> Support for re-measuring an event can be upstreamed independently.
>>>>
>>>
>>> Thanks for clarifying the details related to duplicate measurement
>>> detection and re-measuring.
>>>
>>> I will keep the timestamp for the time being, even though its a hack, as
>>> it helps with re-measuring state changes in SELinux. We will add support
>>> for "policy driven" re-measurement as a subsequent patch series.
>>
>> Once including the timestamp is upstreamed, removing it will be
>> difficult, especially if different userspace applications are dependent
>> on it.  Unless everyone is on board that removing the timestamp
>> wouldn't be considered a regression, it cannot be upstreamed.
> 
> Feel free to just re-post just this one patch.  Otherwise the patch set
> looks good.
> 
> thanks,
> 

Sounds good Mimi - I will remove the timestamp and re-post the selinux 
patch.

thanks,
  -lakshmi




More information about the Linux-security-module-archive mailing list