Re: [PATCH v2 06/15] ima: add parser of digest lists metadata

From: Mimi Zohar
Date: Sat Nov 18 2017 - 18:25:27 EST

Next message: Tomasz Kramkowski: "Re: [PATCH] HID: elecom: fix the descriptor of the EX-G trackball"
Previous message: Fabio Estevam: "Re: [alsa-devel] [PATCH] ASoC: fsl_asrc: Fix typo in a field define"
In reply to: Serge E. Hallyn: "Re: [PATCH v2 06/15] ima: add parser of digest lists metadata"
Next in thread: Roberto Sassu: "Re: [PATCH v2 06/15] ima: add parser of digest lists metadata"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Serge,

On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote:
> On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote:
> > from a predefined position (/etc/ima/digest_lists/metadata), when rootfs
> > becomes available. Digest lists must be loaded before IMA appraisal is in
> > enforcing mode.
>
> I'm sure there's a good reason for it, but this seems weird to me.
> Why read it from a file on disk instead of accepting it through say
> a securityfile write?

Assuming that the concept of a white list is something we want to
support, then at minimum the list needs to be signed and verified.
Instead of defining a new Kconfig pathname option, a securityfs file
could read it, like the IMA policy.

Mimi

Next message: Tomasz Kramkowski: "Re: [PATCH] HID: elecom: fix the descriptor of the EX-G trackball"
Previous message: Fabio Estevam: "Re: [alsa-devel] [PATCH] ASoC: fsl_asrc: Fix typo in a field define"
In reply to: Serge E. Hallyn: "Re: [PATCH v2 06/15] ima: add parser of digest lists metadata"
Next in thread: Roberto Sassu: "Re: [PATCH v2 06/15] ima: add parser of digest lists metadata"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]