From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932298Ab0JRPCp (ORCPT ); Mon, 18 Oct 2010 11:02:45 -0400 Received: from canuck.infradead.org ([134.117.69.58]:52427 "EHLO canuck.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753388Ab0JRPCo convert rfc822-to-8bit (ORCPT ); Mon, 18 Oct 2010 11:02:44 -0400 Subject: Re: ima: use of radix tree cache indexing == massive waste of memory? From: Peter Zijlstra To: "Ted Ts'o" Cc: Eric Paris , Eric Paris , Mimi Zohar , Christoph Hellwig , Dave Chinner , linux-kernel@vger.kernel.org, Mimi Zohar , warthog9@kernel.org, hpa@zytor.com, devel@lists.fedoraprojet.org In-Reply-To: <20101018145930.GE4120@thunk.org> References: <20101016065206.GO4681@dastard> <20101016192027.GA6883@infradead.org> <1287295077.3020.83.camel@localhost.localdomain> <1287313332.1998.172.camel@laptop> <1287323960.1998.360.camel@laptop> <1287324983.2530.35.camel@localhost.localdomain> <1287403048.29097.1553.camel@twins> <20101018145930.GE4120@thunk.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Date: Mon, 18 Oct 2010 17:02:02 +0200 Message-ID: <1287414122.29097.1611.camel@twins> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2010-10-18 at 10:59 -0400, Ted Ts'o wrote: > On Mon, Oct 18, 2010 at 01:57:28PM +0200, Peter Zijlstra wrote: > > Well, you could use the actual freezer to freeze luserspace and then > > simply iterate all open files, I mean, those few sods who actually want > > this enabled can either pass a boot option to enable from boot or suffer > > the overhead on enable, right? > > I'm a little confused why anyone would want to turn on IMA at any time > other than right away at boot? If you haven't been doing integrity > management checking from the very beginning of the boot process, what > does turning on IMA after the system has booted buy you in the way of > security protections? > > In other words, turning on IMA via a boot option seems to be the only > thing that makes any sense at all. Fine with me.. I simply understood there was a requirement for post-boot enablement and tried to come up with a solution for that.