lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 20 Nov 2020 15:40:11 -0800
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        Tushar Sugandhi <tusharsu@...ux.microsoft.com>,
        stephen.smalley.work@...il.com, casey@...aufler-ca.com,
        agk@...hat.com, snitzer@...hat.com, gmazyland@...il.com,
        paul@...l-moore.com
Cc:     tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org,
        linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: Re: [PATCH v6 8/8] selinux: measure state and hash of the policy
 using IMA

On 11/20/20 7:49 AM, Mimi Zohar wrote:
Hi Mimi,

> 
> On Thu, 2020-11-19 at 15:26 -0800, Tushar Sugandhi wrote:
>> From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
>>
>> IMA measures files and buffer data such as keys, command line arguments
>> passed to the kernel on kexec system call, etc. While these measurements
>> enable monitoring and validating the integrity of the system, it is not
>> sufficient.
> 
> The above paragraph would make a good cover letter introduction.

Agreed - will add this paragraph to the cover letter as well.

> 
>> In-memory data structures maintained by various kernel
>> components store the current state and policies configured for
>> the components.
> 
> Various data structures, policies and state stored in kernel memory
> also impact the  integrity of the system.

Will update.

> 
> The 2nd paragraph could provide examples of such integrity critical
> data.

Will do.

> 
> This patch set introduces a new IMA hook named
> ima_measure_critical_data() to measure kernel integrity critical data.
> 

*Question*
I am not clear about this one - do you mean add the following line in 
the patch description for the selinux patch?

"This patch introduces the first use of the new IMA hook namely 
ima_measures_critical_data() to measure the integrity critical data for 
SELinux"

thanks,
  -lakshmi

Powered by blists - more mailing lists