From: jlayton@redhat.com (Jeff Layton)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Thu, 07 Dec 2017 09:50:16 -0500 [thread overview]
Message-ID: <1512658216.1350.16.camel@redhat.com> (raw)
In-Reply-To: <1512657359.3527.49.camel@linux.vnet.ibm.com>
On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> Hi Jeff,
>
> [The IMA/EVM and the TPM mailing lists have been combined as a single
> linux-integrity mailing list.]
>
> On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > Sorry for the late review. I just started dusting off my i_version
> > rework, and noticed that IMA still has unaddressed problems here.
>
> <snip>
>
> > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > and doesn't really seem to address the stated problem well.
>
> A cleaned up version of this patch set was meant to follow the
> introduction of a new integrity_read method, but that patch set was
> rejected. At this point, I have no intentions of upstreaming a
> cleaned up version this patch set either.
>
> > The warning itself seems ok, but I don't really see what's wrong with
> > performing remeasurement when the mtime changes on filesystems that
> > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > initial measurement?
> >
> > Maybe I just don't understand what you're really trying to achieve here.
>
> Based on discussions with Sascha Hauer, he convinced me the i_version
> test is basically just a performance improvement and posted a patch
> that checks the filesystem for i_version support, before relying on it
> - https://www.spinics.net/lists/linux-integrity/msg00033.html.
>
> Mimi
>
Thanks for the link. That patch looks good to me. Any idea when and if
it will be merged?
Thanks,
--
Jeff Layton <jlayton@redhat.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-12-07 14:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 17:30 [RFC PATCH 0/4] ima: filesystems not mounted with i_version Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 1/4] security: define new LSM sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook Mimi Zohar
2017-08-16 19:24 ` Casey Schaufler
2017-08-16 20:59 ` Mimi Zohar
2017-08-17 2:39 ` [Linux-ima-devel] " James Morris
2017-12-07 12:26 ` Jeff Layton
2017-12-07 14:35 ` Mimi Zohar
2017-12-07 14:50 ` Jeff Layton [this message]
2017-12-07 15:08 ` Mimi Zohar
2017-12-07 15:09 ` Jeff Layton
2017-12-15 21:13 ` Jeff Layton
2017-08-16 17:30 ` [RFC PATCH 3/4] security: define a new LSM sb_post_remount hook Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 4/4] ima: define a new ima_sb_post_remount hook Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1512658216.1350.16.camel@redhat.com \
--to=jlayton@redhat.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).