| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Aug 2008 13:03:23 -0400 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: "Serge E. Hallyn" <serue@...ibm.com> Cc: Christoph Hellwig <hch@...radead.org>, Mimi Zohar <zohar@...ibm.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Al Viro <viro@...IV.linux.org.uk>, Stephen Smalley <sds@...ho.nsa.gov>, James Morris <jmorris@...ei.org>, Randy Dunlap <randy.dunlap@...cle.com>, safford@...son.ibm.com, serue@...ux.vnet.ibm.com, sailer@...son.ibm.com Subject: Re: [PATCH 3/4] integrity: Linux Integrity Module(LIM) On Tue, 2008-08-12 at 16:19 -0500, Serge E. Hallyn wrote: > Quoting Christoph Hellwig (hch@...radead.org): > > On Mon, Aug 11, 2008 at 12:02:55PM -0500, Serge E. Hallyn wrote: > > > > > Sorry, but I don't think we can bloat the inode even further for this. > > > > > > > > The original version of IMA was LSM based, using i_security. Based > > > > on discussions on the LSM mailing list, it was decided that the LSM hooks > > > > were meant only for access control. During the same time frame, there > > > > was a lot of work done in stacking LSM modules and i_security, but that > > > > approach was dropped. It was suggested that we define a separate set of > > > > hooks for integrity, which this patch set provides. Caching integrity > > > > results is an important aspect. Any suggestions in lieu of defining > > > > i_integrity? > > > > > > The i_integrity is only bloating the inode if LIM is enabled. Surely > > > that beats having LIM define its own hash table and locking to track > > > integrity labels on inodes? Do you have another suggestion? > > > > > > Or is the concern about having more #ifdefs in the struct inode > > > definition? > > > > No, the concern is over bloating the inode for a rather academic fringe > > feature. As this comes from IBM I'm pretty sure someone will pressure > > the big distro to turn it on. > > By default?? I should hope not... > > Note that these are all not loadable modules. So presumably either it's > in the kernel and enforcing, or it's not there. > > > And inode growth is a concern for > > fileserving or other inode heavy workload. Mimi mentioned this is just > > a cache of information, so consider using something like XFS's mru cache > > which is used for something similar where the xfs_inode was kept small > > despite a very niche feature needing a cache attached to the inode: > > > > fs/xfs/xfs_mru_cache.c > > ok, so basically as I said above > > > > ... having LIM define its own hash table and locking to track > > > integrity labels on inodes? > > :) > > But then that is in fact the better way to go if there can be a lot > of inodes with i_integrity=NULL. It looks like IMA always allocates > something, but if I understand the idea behind templates correctly, > that isn't necessarily always the case. > > thanks, > -serge IMA has a two stage initialization, one at security_initcall() and another at late_initcall(), when the tpm is available, to make sure that all inode's i_integrity are allocated. Multiple templates can register themselves with LIM, but only one integrity provider, such as IMA, can register itself at a time. So hypothetically, other integrity providers could be implemented without a need for i_integrity. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists