From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jeff Layton <jlayton@redhat.com>, Christoph Hellwig <hch@lst.de>,
Al Viro <viro@zeniv.linux.org.uk>
Cc: Jan Kara <jack@suse.cz>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Thu, 07 Dec 2017 09:35:59 -0500 [thread overview]
Message-ID: <1512657359.3527.49.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1512649584.1350.14.camel@redhat.com>
Hi Jeff,
[The IMA/EVM and the TPM mailing lists have been combined as a single
linux-integrity mailing list.]
On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> Sorry for the late review. I just started dusting off my i_version
> rework, and noticed that IMA still has unaddressed problems here.
<snip>
> Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> and doesn't really seem to address the stated problem well.
A cleaned up version of this patch set was meant to follow the
introduction of a new integrity_read method, but that patch set was
rejected. At this point, I have no intentions of upstreaming a
cleaned up version this patch set either.
> The warning itself seems ok, but I don't really see what's wrong with
> performing remeasurement when the mtime changes on filesystems that
> don't have SB_I_VERSION set. Surely that's better than limiting it to an
> initial measurement?
>
> Maybe I just don't understand what you're really trying to achieve here.
Based on discussions with Sascha Hauer, he convinced me the i_version
test is basically just a performance improvement and posted a patch
that checks the filesystem for i_version support, before relying on it
- https://www.spinics.net/lists/linux-integrity/msg00033.html.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Thu, 07 Dec 2017 09:35:59 -0500 [thread overview]
Message-ID: <1512657359.3527.49.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1512649584.1350.14.camel@redhat.com>
Hi Jeff,
[The IMA/EVM and the TPM mailing lists have been combined as a single
linux-integrity mailing list.]
On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> Sorry for the late review. I just started dusting off my i_version
> rework, and noticed that IMA still has unaddressed problems here.
<snip>
> Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> and doesn't really seem to address the stated problem well.
A cleaned up version of this patch set was meant to follow the
introduction of a new integrity_read method, but that patch set was
rejected. ?At this point, I have no intentions of upstreaming a
cleaned up version this patch set either.
> The warning itself seems ok, but I don't really see what's wrong with
> performing remeasurement when the mtime changes on filesystems that
> don't have SB_I_VERSION set. Surely that's better than limiting it to an
> initial measurement?
>
> Maybe I just don't understand what you're really trying to achieve here.
Based on discussions with Sascha Hauer, he convinced me the i_version
test is basically just a performance improvement and posted a patch
that checks the filesystem for i_version support, before relying on it
- ?https://www.spinics.net/lists/linux-integrity/msg00033.html.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jeff Layton <jlayton@redhat.com>, Christoph Hellwig <hch@lst.de>,
Al Viro <viro@zeniv.linux.org.uk>
Cc: Jan Kara <jack@suse.cz>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Thu, 07 Dec 2017 09:35:59 -0500 [thread overview]
Message-ID: <1512657359.3527.49.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1512649584.1350.14.camel@redhat.com>
Hi Jeff,
[The IMA/EVM and the TPM mailing lists have been combined as a single
linux-integrity mailing list.]
On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> Sorry for the late review. I just started dusting off my i_version
> rework, and noticed that IMA still has unaddressed problems here.
<snip>
> Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> and doesn't really seem to address the stated problem well.
A cleaned up version of this patch set was meant to follow the
introduction of a new integrity_read method, but that patch set was
rejected. At this point, I have no intentions of upstreaming a
cleaned up version this patch set either.
> The warning itself seems ok, but I don't really see what's wrong with
> performing remeasurement when the mtime changes on filesystems that
> don't have SB_I_VERSION set. Surely that's better than limiting it to an
> initial measurement?
>
> Maybe I just don't understand what you're really trying to achieve here.
Based on discussions with Sascha Hauer, he convinced me the i_version
test is basically just a performance improvement and posted a patch
that checks the filesystem for i_version support, before relying on it
- https://www.spinics.net/lists/linux-integrity/msg00033.html.
Mimi
next prev parent reply other threads:[~2017-12-07 14:36 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 17:30 [RFC PATCH 0/4] ima: filesystems not mounted with i_version Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 1/4] security: define new LSM sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
2017-08-16 19:24 ` Casey Schaufler
2017-08-16 19:24 ` Casey Schaufler
2017-08-16 20:59 ` Mimi Zohar
2017-08-16 20:59 ` Mimi Zohar
2017-08-17 2:39 ` [Linux-ima-devel] " James Morris
2017-08-17 2:39 ` James Morris
2017-12-07 12:26 ` Jeff Layton
2017-12-07 12:26 ` Jeff Layton
2017-12-07 14:35 ` Mimi Zohar [this message]
2017-12-07 14:35 ` Mimi Zohar
2017-12-07 14:35 ` Mimi Zohar
2017-12-07 14:50 ` Jeff Layton
2017-12-07 14:50 ` Jeff Layton
2017-12-07 15:08 ` Mimi Zohar
2017-12-07 15:08 ` Mimi Zohar
2017-12-07 15:08 ` Mimi Zohar
2017-12-07 15:09 ` Jeff Layton
2017-12-07 15:09 ` Jeff Layton
2017-12-15 21:13 ` Jeff Layton
2017-12-15 21:13 ` Jeff Layton
2017-08-16 17:30 ` [RFC PATCH 3/4] security: define a new LSM sb_post_remount hook Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 4/4] ima: define a new ima_sb_post_remount hook Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512657359.3527.49.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.