From: Mimi Zohar <zohar@linux.ibm.com>
To: Tushar Sugandhi <tusharsu@linux.microsoft.com>,
stephen.smalley.work@gmail.com, casey@schaufler-ca.com,
agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com,
paul@paul-moore.com
Cc: tyhicks@linux.microsoft.com, sashal@kernel.org,
jmorris@namei.org, nramas@linux.microsoft.com,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, dm-devel@redhat.com
Subject: Re: [PATCH v5 3/7] IMA: add hook to measure critical data
Date: Thu, 12 Nov 2020 18:56:01 -0500 [thread overview]
Message-ID: <0f25c77c042f3e62405f12966c2358fe8cd82116.camel@linux.ibm.com> (raw)
In-Reply-To: <25622ca6-359d-fa97-c5e6-e314cba51306@linux.microsoft.com>
Hi Tushar,
On Thu, 2020-11-12 at 13:57 -0800, Tushar Sugandhi wrote:
> >> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> >> index 4485d87c0aa5..6e1b11dcba53 100644
> >> --- a/security/integrity/ima/ima_main.c
> >> +++ b/security/integrity/ima/ima_main.c
> >> @@ -921,6 +921,44 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
> >> fdput(f);
> >> }
> >>
> >> +/**
> >> + * ima_measure_critical_data - measure kernel subsystem data
> >> + * critical to integrity of the kernel
> >
> > Please change this to "measure kernel integrity critical data".
> >
> *Question*
> Thanks Mimi. Do you want us just to update the description, or do you
> want us to update the function name too?
Just the description.
>
> I believe you meant just description, but still want to clarify.
>
> ima_measure_kernel_integrity_critical_data() would be too long.
> Maybe ima_measure_integrity_critical_data()?
>
> Or do you want us to keep the existing ima_measure_critical_data()?
> Could you please let us know?
>
> >> + * @event_data_source: name of the data source being measured;
> >> + * typically it should be the name of the kernel subsystem that is sending
> >> + * the data for measurement
> >
> > Including "data_source" here isn't quite right. "data source" should
> > only be added in the first patch which uses it, not here. When adding
> > it please shorten the field description to "kernel data source". The
> > longer explanation can be included in the longer function description.
> >
> *Question*
> Do you mean the parameter @event_data_source should be removed from this
> patch? And then later added in patch 7/7 – where SeLinux uses it?
Data source support doesn't belong in this patch. Each patch should do
one logical thing and only that one thing. This patch is adding
support for measuring critical data. The data source patch will limit
the critical data being measured.
Other than updating the data source list in the documentation,
definitely do not add data source support to the SELinux patch.
thanks,
Mimi
next prev parent reply other threads:[~2020-11-12 23:56 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-01 22:26 [PATCH v5 0/7] IMA: Infrastructure for measurement of critical kernel data Tushar Sugandhi
2020-11-01 22:26 ` [PATCH v5 1/7] IMA: generalize keyring specific measurement constructs Tushar Sugandhi
2020-11-01 22:26 ` [PATCH v5 2/7] IMA: update process_buffer_measurement to measure buffer hash Tushar Sugandhi
2020-11-05 14:30 ` Mimi Zohar
2020-11-12 21:47 ` Tushar Sugandhi
2020-11-12 22:19 ` Mimi Zohar
2020-11-12 23:16 ` Tushar Sugandhi
2020-11-06 12:11 ` Mimi Zohar
2020-11-12 21:48 ` Tushar Sugandhi
2020-11-01 22:26 ` [PATCH v5 3/7] IMA: add hook to measure critical data Tushar Sugandhi
2020-11-06 13:24 ` Mimi Zohar
2020-11-12 21:57 ` Tushar Sugandhi
2020-11-12 23:56 ` Mimi Zohar [this message]
2020-11-13 17:23 ` Tushar Sugandhi
2020-11-01 22:26 ` [PATCH v5 4/7] IMA: add policy " Tushar Sugandhi
2020-11-06 13:43 ` Mimi Zohar
2020-11-12 22:02 ` Tushar Sugandhi
2020-11-01 22:26 ` [PATCH v5 5/7] IMA: validate supported kernel data sources before measurement Tushar Sugandhi
2020-11-06 14:01 ` Mimi Zohar
2020-11-12 22:09 ` Tushar Sugandhi
2020-11-13 0:06 ` Mimi Zohar
2020-11-01 22:26 ` [PATCH v5 6/7] IMA: add critical_data to the built-in policy rules Tushar Sugandhi
2020-11-06 15:24 ` Mimi Zohar
2020-11-06 15:37 ` Lakshmi Ramasubramanian
2020-11-06 23:51 ` Lakshmi Ramasubramanian
2020-11-08 15:46 ` Mimi Zohar
2020-11-09 17:24 ` Lakshmi Ramasubramanian
2020-11-01 22:26 ` [PATCH v5 7/7] selinux: measure state and hash of the policy using IMA Tushar Sugandhi
2020-11-06 15:47 ` Mimi Zohar
2020-11-05 0:31 ` [PATCH v5 0/7] IMA: Infrastructure for measurement of critical kernel data Mimi Zohar
2020-11-12 22:18 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f25c77c042f3e62405f12966c2358fe8cd82116.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=agk@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).