lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Nov 2020 08:43:01 -0500 From: Mimi Zohar <zohar@...ux.ibm.com> To: Tushar Sugandhi <tusharsu@...ux.microsoft.com>, stephen.smalley.work@...il.com, casey@...aufler-ca.com, agk@...hat.com, snitzer@...hat.com, gmazyland@...il.com, paul@...l-moore.com Cc: tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org, nramas@...ux.microsoft.com, linux-integrity@...r.kernel.org, selinux@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, dm-devel@...hat.com Subject: Re: [PATCH v5 4/7] IMA: add policy to measure critical data Hi Tushar, On Sun, 2020-11-01 at 14:26 -0800, Tushar Sugandhi wrote: > System administrators should be able to choose which kernel subsystems > they want to measure the critical data for. To enable that, an IMA policy > option to choose specific kernel subsystems is needed. This policy option > would constrain the measurement of the critical data to the given kernel > subsystems. Measuring critical data should not be dependent on the source of the critical data. This patch needs to be split up. The "data sources" should be move to it's own separate patch. This patch should be limited to adding the policy code needed for measuring criticial data. Limiting critical data sources should be the last patch in this series. thanks, Mimi > > Add a new IMA policy option - "data_sources:=" to the IMA func > CRITICAL_DATA to allow measurement of various kernel subsystems. This > policy option would enable the system administrators to limit the > measurement to the subsystems listed in "data_sources:=", if the > subsystem measures its data by calling ima_measure_critical_data(). > > Limit the measurement to the subsystems that are specified in the IMA > policy - CRITICAL_DATA+"data_sources:=". If "data_sources:=" is not > provided with the func CRITICAL_DATA, measure the data from all the > supported kernel subsystems. > > Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
Powered by blists - more mailing lists