From: Janne Karhunen <janne.karhunen@gmail.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>,
Ken Goldman <kgold@linux.ibm.com>,
david.safford@gmail.com, monty.wiseman@ge.com,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v2] ima: export the measurement list when needed
Date: Mon, 27 Jan 2020 11:03:03 +0200 [thread overview]
Message-ID: <CAE=Ncrawp7BPikkg0-ww2dO2_+tDPkaGxCpwMbDX4yqYWuYBWQ@mail.gmail.com> (raw)
In-Reply-To: <1580058069.5990.36.camel@linux.ibm.com>
On Sun, Jan 26, 2020 at 7:01 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > I don't think it is common, and probably not acceptable, for the
> > > kernel to open a file for writing.
> >
> > Ok. It just means that the kernel cannot do its own memory management
> > and will depend on the user flushing the memory often enough to
> > prevent something bad from happening. Is this more common in the
> > kernel than writing out a file?
>
> Ok, there are examples of both passing a file descriptor and passing a
> pathname from userspace, but even in the case of passing a pathname,
> userspace normally creates the file.
Sorry, I was slow to get your proposal. I'll try to see how that would
look like.
> There's been discussion in the past of defining an integrity
> capability. Are we at that point where we really do need to define an
> integrity capability or is everyone comfortable with relying on
> CAP_SYS_ADMIN?
Every time something like this is being proposed there is a lot of
shouting from people that they want their root user (renamed as
CAP_SYS_ADMIN) back. I'd be happy with such bit and several others,
too.
> When implementing this feature of exporting and truncating the
> measurement list, please keep in mind how this would work in the
> context of IMA namespaces.
That could be rough. I'll try to think about it.
--
Janne
next prev parent reply other threads:[~2020-01-27 9:03 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 11:17 [PATCH v2] ima: export the measurement list when needed Janne Karhunen
2020-01-10 8:48 ` Janne Karhunen
2020-01-22 15:56 ` Mimi Zohar
2020-01-23 8:41 ` Janne Karhunen
2020-01-26 17:01 ` Mimi Zohar
2020-01-27 9:03 ` Janne Karhunen [this message]
2020-02-06 14:13 ` Mimi Zohar
2020-02-10 8:04 ` Janne Karhunen
2020-02-10 15:26 ` Mimi Zohar
2020-02-10 18:18 ` david.safford
2020-02-10 20:24 ` Mimi Zohar
2020-02-11 8:06 ` Janne Karhunen
2020-02-11 16:10 ` david.safford
2020-02-11 23:10 ` Mimi Zohar
2020-02-12 21:08 ` david.safford
2020-02-13 1:03 ` Mimi Zohar
2020-02-13 6:41 ` Janne Karhunen
2020-02-18 15:36 ` Mimi Zohar
2020-02-13 20:11 ` Ken Goldman
2020-02-18 14:50 ` david.safford
2020-01-24 14:46 ` david.safford
2020-01-27 8:48 ` Janne Karhunen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAE=Ncrawp7BPikkg0-ww2dO2_+tDPkaGxCpwMbDX4yqYWuYBWQ@mail.gmail.com' \
--to=janne.karhunen@gmail.com \
--cc=david.safford@gmail.com \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=monty.wiseman@ge.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.