On Thu, 2021-12-02 at 08:41 -0500, Stefan Berger wrote:

On 12/2/21 07:46, James Bottomley wrote:

quoted

On Tue, 2021-11-30 at 11:06 -0500, Stefan Berger wrote:

quoted

Move measurement list related variables into the ima_namespace.
This
way a
front-end like SecurityFS can show the measurement list inside an
IMA
namespace.

Implement ima_free_measurements() to free a list of measurements
and call it when an IMA namespace is deleted.

This one worries me quite a lot.  What seems to be happening in
this
code:

quoted

@@ -107,7 +100,7 @@ static int ima_add_digest_entry(struct

ima_namespace *ns,
         qe->entry = entry;
  
         INIT_LIST_HEAD(&qe->later);
-       list_add_tail_rcu(&qe->later, &ima_measurements);
+       list_add_tail_rcu(&qe->later, &ns->ima_measurements);
  
         atomic_long_inc(&ns->ima_htable.len);
         if (update_htable) {

is that we now only add the measurements to the namespace list, but
that list is freed when the namespace dies.  However, the
measurement
is still extended through the PCRs meaning we have incomplete
information for a replay after the namespace dies?

*Not at all.* The measurement list of the namespace is independent
of 
the host.

The cover letter states:

I get that the host can set up a policy to log everything in the
namespace, but that wasn't my question.  My question is can the guest
set up a policy to log something that doesn't go into the host log
(because the host hasn't asked for it to be logged) but extends a PCR
anyway, thus destroying the ability of the host to do log replay.

James