| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 05 Feb 2018 12:31:41 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Christoph Hellwig <hch@...radead.org>
Cc: linux-integrity <linux-integrity@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
TarasKondratiuk <takondra@...co.com>,
Victor Kamensky <kamensky@...co.com>,
RobLandley <rob@...dley.net>
Subject: Re: [PATCH] ima: define new policy condition based on the
filesystem name
On Mon, 2018-01-15 at 09:19 -0800, Christoph Hellwig wrote:
> On Mon, Jan 15, 2018 at 11:40:07AM -0500, Mimi Zohar wrote:
> > rootfs IS different than other filesystems, as other filesystems
> > uniquely identify the underlying filesystem type. rootfs can be a
> > ramfs or tmpfs filesystem. Only tmpfs supports xattrs.
>
> Tons of filesystems only have xattrs optionally. Check for goddamn
> xattrs if that is the requirement and not a name that has absolutely
> zero meaning for functionality. That is the whole point!
I should have said the main reason for defining a rootfs policy rule
is not to differentiate it from ramfs, but the ability to require file
signatures.
Up to now, CPIO did not support xattrs. With Taras' proposed CPIO
xattr patch set, the initramfs can now be properly labeled with file
signatures. Since only some systems will include file signatures in
the initramfs, we need to be able to differentiate between those that
require file signatures from those that don't.
Mimi
Powered by blists - more mailing lists