From: Raphael Gianotti <raphgi@linux.microsoft.com>
To: janne.karhunen@gmail.com, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com
Cc: kgold@linux.ibm.com, david.safford@gmail.com, monty.wiseman@ge.com
Subject: Re: [RFC] ima: export the measurement list when needed
Date: Mon, 17 Aug 2020 14:30:11 -0700 [thread overview]
Message-ID: <57e0095a-ff6f-e5dc-6250-1320bd6518cb@linux.microsoft.com> (raw)
In-Reply-To: <436e3951-d6d5-014a-dde1-8a6398dfe7a1@linux.microsoft.com>
Hi Janne,
Subject: Re: [RFC] ima: export the measurement list when needed
> Date: Wed, 18 Dec 2019 17:11:22 +0200
> From: Janne Karhunen <janne.karhunen@gmail.com>
> To: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>
> CC: Ken Goldman <kgold@linux.ibm.com>, david.safford@gmail.com,
> monty.wiseman@ge.com
>
> Hi,
>
> Have in mind that below is the first trial draft that booted and
> seemingly accomplished the task once, it was not really tested at all
> yet. I will make a polished and tested version if people like the
> concept.
>
> Note that the code (almost) supports pushing and pulling of the
> entries. This variant is a simple pull given that the list size is
> above the defined limits. Pushing can be put in place if the recursion
> with the list extend_list_mutex is cleared, maybe this could be done
> via another patch later on when we have a workqueue for the export
> task? The workqueue might be the best context for the export job since
> clearing the list is a heavy operation (and it's not entirely correct
> here AFAIK, there is no rcu sync before the template free).
>
>
> -- Janne
>
> On Wed, Dec 18, 2019 at 2:53 PM Janne Karhunen
> <janne.karhunen@gmail.com> wrote:
>>
>> Some systems can end up carrying lots of entries in the ima
>> measurement list. Since every entry is using a bit of kernel
>> memory, add a new Kconfig variable to allow the sysadmin to
>> define the maximum measurement list size and the location
>> of the exported list.
>>
>> The list is written out in append mode, so the system will
>> keep writing new entries as long as it stays running or runs
>> out of space. File is also automatically truncated on startup.
>>
>> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
>> ---
>> security/integrity/ima/Kconfig | 10 ++
>> security/integrity/ima/ima.h | 7 +-
>> security/integrity/ima/ima_fs.c | 178 +++++++++++++++++++++++++++++
>> security/integrity/ima/ima_queue.c | 2 +-
>> 4 files changed, 192 insertions(+), 5 deletions(-)
I've been looking into a solution to this same issue you started some
work on. I was wondering if you are still working on it. I was
considering taking your initial prototyping on this and extending it
into a final solution, but I wanted to reply here first and check if you
are currently working on this.
next parent reply other threads:[~2020-08-17 21:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <436e3951-d6d5-014a-dde1-8a6398dfe7a1@linux.microsoft.com>
2020-08-17 21:30 ` Raphael Gianotti [this message]
2020-08-26 8:14 ` [RFC] ima: export the measurement list when needed Janne Karhunen
2020-08-26 13:40 ` Janne Karhunen
2020-08-26 14:12 ` Janne Karhunen
2020-08-31 16:49 ` Raphael Gianotti
2020-09-01 6:52 ` Janne Karhunen
2020-09-01 21:32 ` Raphael Gianotti
2020-09-02 6:44 ` Janne Karhunen
2019-12-18 12:53 Janne Karhunen
2019-12-18 15:11 ` Janne Karhunen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57e0095a-ff6f-e5dc-6250-1320bd6518cb@linux.microsoft.com \
--to=raphgi@linux.microsoft.com \
--cc=david.safford@gmail.com \
--cc=janne.karhunen@gmail.com \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=monty.wiseman@ge.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.