lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 14 Jan 2021 11:44:27 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        Paul Moore <paul@...l-moore.com>,
        Sasha Levin <sashal@...nel.org>
Cc:     Tushar Sugandhi <tusharsu@...ux.microsoft.com>,
        Stephen Smalley <stephen.smalley.work@...il.com>,
        casey@...aufler-ca.com, agk@...hat.com, snitzer@...hat.com,
        gmazyland@...il.com, tyhicks@...ux.microsoft.com,
        sashal@...nel.org, James Morris <jmorris@...ei.org>,
        linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: Re: [PATCH v10 8/8] selinux: include a consumer of the new IMA
 critical data hook

[Cc'ing Sasha]

Hi Lakshmi,

On Thu, 2021-01-14 at 08:22 -0800, Lakshmi Ramasubramanian wrote:
> On 1/13/21 6:49 PM, Mimi Zohar wrote:

> >>> Lakshmi is trying to address the situation where an event changes a
> >>> value, but then is restored to the original value.  The original and
> >>> subsequent events are measured, but restoring to the original value
> >>> isn't re-measured.  This isn't any different than when a file is
> >>> modified and then reverted.
> >>>
> >>> Instead of changing the name like this, which doesn't work for files,
> >>> allowing duplicate measurements should be generic, based on policy.
> >>
> >> Perhaps it is just the end of the day and I'm a bit tired, but I just
> >> read all of the above and I have no idea what your current thoughts
> >> are regarding this patch.
> > 
> > Other than appending the timestamp, which is a hack, the patch is fine.
> > Support for re-measuring an event can be upstreamed independently.
> > 
> 
> Thanks for clarifying the details related to duplicate measurement 
> detection and re-measuring.
> 
> I will keep the timestamp for the time being, even though its a hack, as 
> it helps with re-measuring state changes in SELinux. We will add support 
> for "policy driven" re-measurement as a subsequent patch series.

Once including the timestamp is upstreamed, removing it will be
difficult, especially if different userspace applications are dependent
on it.  Unless everyone is on board that removing the timestamp
wouldn't be considered a regression, it cannot be upstreamed.

thanks,

Mimi

Powered by blists - more mailing lists