| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Aug 2020 09:51:57 +1000 (AEST)
From: James Morris <jmorris@...ei.org>
To: Mimi Zohar <zohar@...ux.ibm.com>
cc: James Bottomley <James.Bottomley@...senPartnership.com>,
Deven Bowers <deven.desai@...ux.microsoft.com>,
Pavel Machek <pavel@....cz>, Sasha Levin <sashal@...nel.org>,
snitzer@...hat.com, dm-devel@...hat.com,
tyhicks@...ux.microsoft.com, agk@...hat.com, paul@...l-moore.com,
corbet@....net, nramas@...ux.microsoft.com, serge@...lyn.com,
pasha.tatashin@...een.com, jannh@...gle.com,
linux-block@...r.kernel.org, viro@...iv.linux.org.uk,
axboe@...nel.dk, mdsakib@...rosoft.com,
linux-kernel@...r.kernel.org, eparis@...hat.com,
linux-security-module@...r.kernel.org, linux-audit@...hat.com,
linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
jaskarankhurana@...ux.microsoft.com
Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement
LSM (IPE)
On Wed, 5 Aug 2020, Mimi Zohar wrote:
> If block layer integrity was enough, there wouldn't have been a need
> for fs-verity. Even fs-verity is limited to read only filesystems,
> which makes validating file integrity so much easier. From the
> beginning, we've said that fs-verity signatures should be included in
> the measurement list. (I thought someone signed on to add that support
> to IMA, but have not yet seen anything.)
>
> Going forward I see a lot of what we've accomplished being incorporated
> into the filesystems. When IMA will be limited to defining a system
> wide policy, I'll have completed my job.
What are your thoughts on IPE being a standalone LSM? Would you prefer to
see its functionality integrated into IMA?
Powered by blists - more mailing lists