From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, stefanb@linux.ibm.com,
viro@zeniv.linux.org.uk, Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook
Date: Sun, 29 Jan 2023 09:52:51 -0500 [thread overview]
Message-ID: <89a7cc7efe1545e18c9af6c3ec53468d6f528a7a.camel@linux.ibm.com> (raw)
In-Reply-To: <20230126163812.1870942-2-roberto.sassu@huaweicloud.com>
On Thu, 2023-01-26 at 17:38 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Commit 98de59bfe4b2f ("take calculation of final prot in
> security_mmap_file() into a helper") caused ima_file_mmap() to receive the
> protections requested by the application and not those applied by the
> kernel.
>
> After restoring the original MMAP_CHECK behavior with a patch, existing
> systems might be broken due to not being ready to handle new entries
> (previously missing) in the IMA measurement list.
Is this a broken system or a broken attestation server? The
attestation server might not be able to handle the additional
measurements, but the system, itself, is not broken.
"with a patch" is unnecessary.
>
> Restore the original correct MMAP_CHECK behavior instead of keeping the
^ add missing comma after "behavior"
> current buggy one and introducing a new hook with the correct behavior. The
> second option
^ The second option -> Otherwise,
> would have had the risk of IMA users not noticing the problem
> at all, as they would actively have to update the IMA policy, to switch to
> the correct behavior.
>
> Also, introduce the new MMAP_CHECK_REQPROT hook to keep the current
> behavior, so that IMA users could easily fix a broken system, although this
> approach is discouraged due to potentially missing measurements.
Again, is this a broken system or a broken attestation server?
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Otherwise, the patch looks good.
--
thanks,
Mimi
next prev parent reply other threads:[~2023-01-29 14:53 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 16:38 [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook Roberto Sassu
2023-01-26 16:38 ` [PATCH v3 2/2] ima: Introduce MMAP_CHECK_REQPROT hook Roberto Sassu
2023-01-29 14:52 ` Mimi Zohar [this message]
2023-01-30 10:37 ` Roberto Sassu
2023-01-26 16:38 ` [PATCH ima-evm-utils] Add tests for MMAP_CHECK and MMAP_CHECK_REQPROT hooks Roberto Sassu
2023-01-26 22:25 ` Stefan Berger
2023-01-27 7:57 ` Roberto Sassu
2023-01-30 13:28 ` Mimi Zohar
2023-01-30 14:02 ` Roberto Sassu
2023-01-30 16:07 ` Roberto Sassu
2023-01-30 16:54 ` Mimi Zohar
2023-01-30 16:56 ` Roberto Sassu
2023-01-30 16:26 ` Mimi Zohar
2023-01-30 16:36 ` Roberto Sassu
2023-01-30 17:00 ` Mimi Zohar
2023-01-26 19:37 ` [PATCH v3 1/2] ima: Align ima_file_mmap() parameters with mmap_file LSM hook Stefan Berger
2023-01-27 7:55 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89a7cc7efe1545e18c9af6c3ec53468d6f528a7a.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.