[PATCH v10 5/8] IMA: limit critical data measurement based on a label

Tushar Sugandhi tusharsu at linux.microsoft.com
Thu Jan 14 17:57:27 UTC 2021

On 2021-01-13 6:09 p.m., Mimi Zohar wrote:
> On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote:
>> Integrity critical data may belong to a single subsystem or it may
>> arise from cross subsystem interaction.  Currently there is no mechanism
>> to group or limit the data based on certain label.  Limiting and
>> grouping critical data based on a label would make it flexible and
>> configurable to measure.
>> Define "label:=", a new IMA policy condition, for the IMA func
>> CRITICAL_DATA to allow grouping and limiting measurement of integrity
>> critical data.
>> Limit the measurement to the labels that are specified in the IMA
>> policy - CRITICAL_DATA+"label:=".  If "label:=" is not provided with
>> the func CRITICAL_DATA, measure all the input integrity critical data.
>> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
>> Reviewed-by: Tyler Hicks <tyhicks at linux.microsoft.com>
> This is looking a lot better.
> thanks,
> Mimi
Thanks a lot for the feedback Mimi.
Appreciate it. :)


More information about the Linux-security-module-archive mailing list