All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jeff Layton <jlayton@kernel.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>
Cc: Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Fri, 15 Dec 2017 16:13:29 -0500	[thread overview]
Message-ID: <1513372409.20336.30.camel@kernel.org> (raw)
In-Reply-To: <1512659378.1350.17.camel@redhat.com>

On Thu, 2017-12-07 at 10:09 -0500, Jeff Layton wrote:
> On Thu, 2017-12-07 at 10:08 -0500, Mimi Zohar wrote:
> > On Thu, 2017-12-07 at 09:50 -0500, Jeff Layton wrote:
> > > On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> > > > Hi Jeff,
> > > > 
> > > > [The IMA/EVM and the TPM mailing lists have been combined as a single
> > > > linux-integrity mailing list.]
> > > > 
> > > > On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > > > > Sorry for the late review. I just started dusting off my i_version
> > > > > rework, and noticed that IMA still has unaddressed problems here.
> > > > 
> > > > <snip>
> > > > 
> > > > > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > > > > and doesn't really seem to address the stated problem well.
> > > > 
> > > > A cleaned up version of this patch set was meant to follow the
> > > > introduction of a new integrity_read method, but that patch set was
> > > > rejected.  At this point, I have no intentions of upstreaming a
> > > > cleaned up version this patch set either.
> > > > 
> > > > > The warning itself seems ok, but I don't really see what's wrong with
> > > > > performing remeasurement when the mtime changes on filesystems that
> > > > > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > > > > initial measurement?
> > > > > 
> > > > > Maybe I just don't understand what you're really trying to achieve here.
> > > > 
> > > > Based on discussions with Sascha Hauer, he convinced me the i_version
> > > > test is basically just a performance improvement and posted a patch
> > > > that checks the filesystem for i_version support, before relying on it
> > > > -  https://www.spinics.net/lists/linux-integrity/msg00033.html.
> > > > 
> > > > Mimi
> > > > 
> > > 
> > > Thanks for the link. That patch looks good to me. Any idea when and if
> > > it will be merged?
> > 
> > Is that an Ack?  Barring any testing issues, I'll upstream it with
> > yours in the next open window.
> > 
> > Mimi
> > 
> 
> Sure, you can add:
> 
> Reviewed-by: Jeff Layton <jlayton@redhat.com>

BTW, could you get this into linux-next sometime soon? I have a series
of patches to overhaul i_version handling that I want to go in soon and
there could be merge conflicts.

Thanks,
-- 
Jeff Layton <jlayton@kernel.org>

WARNING: multiple messages have this Message-ID (diff)
From: jlayton@kernel.org (Jeff Layton)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Fri, 15 Dec 2017 16:13:29 -0500	[thread overview]
Message-ID: <1513372409.20336.30.camel@kernel.org> (raw)
In-Reply-To: <1512659378.1350.17.camel@redhat.com>

On Thu, 2017-12-07 at 10:09 -0500, Jeff Layton wrote:
> On Thu, 2017-12-07 at 10:08 -0500, Mimi Zohar wrote:
> > On Thu, 2017-12-07 at 09:50 -0500, Jeff Layton wrote:
> > > On Thu, 2017-12-07 at 09:35 -0500, Mimi Zohar wrote:
> > > > Hi Jeff,
> > > > 
> > > > [The IMA/EVM and the TPM mailing lists have been combined as a single
> > > > linux-integrity mailing list.]
> > > > 
> > > > On Thu, 2017-12-07 at 07:26 -0500, Jeff Layton wrote:
> > > > > Sorry for the late review. I just started dusting off my i_version
> > > > > rework, and noticed that IMA still has unaddressed problems here.
> > > > 
> > > > <snip>
> > > > 
> > > > > Personally, I'm not a huge fan of this scheme. It seems quite invasive,
> > > > > and doesn't really seem to address the stated problem well.
> > > > 
> > > > A cleaned up version of this patch set was meant to follow the
> > > > introduction of a new integrity_read method, but that patch set was
> > > > rejected.  At this point, I have no intentions of upstreaming a
> > > > cleaned up version this patch set either.
> > > > 
> > > > > The warning itself seems ok, but I don't really see what's wrong with
> > > > > performing remeasurement when the mtime changes on filesystems that
> > > > > don't have SB_I_VERSION set. Surely that's better than limiting it to an
> > > > > initial measurement?
> > > > > 
> > > > > Maybe I just don't understand what you're really trying to achieve here.
> > > > 
> > > > Based on discussions with Sascha Hauer, he convinced me the i_version
> > > > test is basically just a performance improvement and posted a patch
> > > > that checks the filesystem for i_version support, before relying on it
> > > > -  https://www.spinics.net/lists/linux-integrity/msg00033.html.
> > > > 
> > > > Mimi
> > > > 
> > > 
> > > Thanks for the link. That patch looks good to me. Any idea when and if
> > > it will be merged?
> > 
> > Is that an Ack?  Barring any testing issues, I'll upstream it with
> > yours in the next open window.
> > 
> > Mimi
> > 
> 
> Sure, you can add:
> 
> Reviewed-by: Jeff Layton <jlayton@redhat.com>

BTW, could you get this into linux-next sometime soon? I have a series
of patches to overhaul i_version handling that I want to go in soon and
there could be merge conflicts.

Thanks,
-- 
Jeff Layton <jlayton@kernel.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2017-12-15 21:13 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-16 17:30 [RFC PATCH 0/4] ima: filesystems not mounted with i_version Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 1/4] security: define new LSM sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30   ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30   ` Mimi Zohar
2017-08-16 19:24   ` Casey Schaufler
2017-08-16 19:24     ` Casey Schaufler
2017-08-16 20:59     ` Mimi Zohar
2017-08-16 20:59       ` Mimi Zohar
2017-08-17  2:39       ` [Linux-ima-devel] " James Morris
2017-08-17  2:39         ` James Morris
2017-12-07 12:26   ` Jeff Layton
2017-12-07 12:26     ` Jeff Layton
2017-12-07 14:35     ` Mimi Zohar
2017-12-07 14:35       ` Mimi Zohar
2017-12-07 14:35       ` Mimi Zohar
2017-12-07 14:50       ` Jeff Layton
2017-12-07 14:50         ` Jeff Layton
2017-12-07 15:08         ` Mimi Zohar
2017-12-07 15:08           ` Mimi Zohar
2017-12-07 15:08           ` Mimi Zohar
2017-12-07 15:09           ` Jeff Layton
2017-12-07 15:09             ` Jeff Layton
2017-12-15 21:13             ` Jeff Layton [this message]
2017-12-15 21:13               ` Jeff Layton
2017-08-16 17:30 ` [RFC PATCH 3/4] security: define a new LSM sb_post_remount hook Mimi Zohar
2017-08-16 17:30   ` Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 4/4] ima: define a new ima_sb_post_remount hook Mimi Zohar
2017-08-16 17:30   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1513372409.20336.30.camel@kernel.org \
    --to=jlayton@kernel.org \
    --cc=hch@lst.de \
    --cc=jack@suse.cz \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.