From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Stephen Smalley <stephen.smalley@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <jmorris@namei.org>,
linux-integrity@vger.kernel.org,
LSM List <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/5] LSM: Define SELinux function to measure security state
Date: Mon, 15 Jun 2020 16:31:59 -0400 [thread overview]
Message-ID: <CAEjxPJ4nD-3cNQHp8wjdL=_k3opjyU+zc9xCPZkOjkTxDN6g9A@mail.gmail.com> (raw)
In-Reply-To: <a9a20aa5-963e-5f49-9391-0673fdda378e@linux.microsoft.com>
On Mon, Jun 15, 2020 at 12:45 PM Lakshmi Ramasubramanian
<nramas@linux.microsoft.com> wrote:
>
> On 6/15/20 4:57 AM, Stephen Smalley wrote:
> > I think I mentioned this on a previous version of these patches, but I
> > would recommend including more than just the enabled and enforcing
> > states in your measurement. Other low-hanging fruit would be the
> > other selinux_state booleans (checkreqprot, initialized,
> > policycap[0..__POLICYDB_CAPABILITY_MAX]). Going a bit further one
> > could take a hash of the loaded policy by using security_read_policy()
> > and then computing a hash using whatever hash ima prefers over the
> > returned data,len pair. You likely also need to think about how to
> > allow future extensibility of the state in a backward-compatible
> > manner, so that future additions do not immediately break systems
> > relying on older measurements.
> >
>
> Sure - I will address this one in the next update.
Please add selinux list to the cc for future versions too.
next prev parent reply other threads:[~2020-06-15 20:32 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-13 2:41 [PATCH 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 3/5] LSM: Add security_state function pointer in lsm_info struct Lakshmi Ramasubramanian
2020-06-13 2:41 ` [PATCH 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-06-15 11:57 ` Stephen Smalley
2020-06-15 12:15 ` Stephen Smalley
2020-06-15 16:45 ` Lakshmi Ramasubramanian
2020-06-15 17:33 ` Casey Schaufler
2020-06-15 17:44 ` Mimi Zohar
2020-06-15 23:18 ` Casey Schaufler
2020-06-16 0:44 ` Mimi Zohar
2020-06-16 8:38 ` John Johansen
2020-06-15 20:31 ` Stephen Smalley [this message]
2020-06-13 2:41 ` [PATCH 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian
2020-06-15 13:33 ` Stephen Smalley
2020-06-15 14:59 ` Mimi Zohar
2020-06-15 15:47 ` Stephen Smalley
2020-06-15 16:10 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjxPJ4nD-3cNQHp8wjdL=_k3opjyU+zc9xCPZkOjkTxDN6g9A@mail.gmail.com' \
--to=stephen.smalley.work@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=stephen.smalley@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.