From: Mimi Zohar <zohar@linux.ibm.com>
To: rishi gupta <gupt21@gmail.com>,
zohar@linux.vnet.ibm.com, dmitry.kasatkin@gmail.com
Cc: linux-integrity@vger.kernel.org,
Dave Chinner <david@fromorbit.com>,
"Theodore Y. Ts'o" <tytso@mit.edu>
Subject: Re: ima: why IMA_APPRAISE_DIRECTORIES patch is not mainlined
Date: Thu, 05 Jul 2018 11:16:38 -0400 [thread overview]
Message-ID: <1530803798.3773.112.camel@linux.ibm.com> (raw)
In-Reply-To: <CALUj-gtOL3wDoo=QC68zhnwOsnfBistA_X97WzWAu6_v5T-xWQ@mail.gmail.com>
[CC'ing Dave Chinner, Ted Tso]
Hi Rishi,
On Thu, 2018-07-05 at 16:08 +0530, rishi gupta wrote:
> Hi Dmitry and security team members,
>
> I am willing to take directory protection ima patch in a commercial
> product, but observed that it has not been mainlined. Is there any reason
> for not mainlining it. Are there any better options for protecting
> directory using IMA/EVM or some other security schemes.
>
> https://lwn.net/Articles/512364/
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/kasatkin/linux-digsig/+/ima-dir-experimental/security/integrity/ima/ima_dir.c
The main purpose of the IMA-directory patch set is to protect file
names from offline attack. Dmitry's patch set protects file names at
the immediate directory level, but does not extend up to the root
directory. I brought up the topic of protecting file names at
LSF/MM[1]. Others in the community are aware of the problem and need
to be involved in the discussions as to how to address it.
[1] https://lwn.net/Articles/753276/
Mimi
next parent reply other threads:[~2018-07-05 15:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CALUj-gtOL3wDoo=QC68zhnwOsnfBistA_X97WzWAu6_v5T-xWQ@mail.gmail.com>
2018-07-05 15:16 ` Mimi Zohar [this message]
2018-07-05 22:56 ` ima: why IMA_APPRAISE_DIRECTORIES patch is not mainlined Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1530803798.3773.112.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=david@fromorbit.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=gupt21@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox