[PATCH v2 06/15] ima: add parser of digest lists metadata

[PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 06/15] ima: add parser of digest lists metadata · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
Re: [PATCH v2 06/15] ima: add parser of digest lists metadata · "Serge E. Hallyn" <serge@hallyn.com> · 2017-11-18
Re: [PATCH v2 06/15] ima: add parser of digest lists metadata · Mimi Zohar <hidden> · 2017-11-18
Re: [PATCH v2 06/15] ima: add parser of digest lists metadata · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-20
Re: [PATCH v2 06/15] ima: add parser of digest lists metadata · Mimi Zohar <hidden> · 2017-11-20
Re: [PATCH v2 06/15] ima: add parser of digest lists metadata · "Serge E. Hallyn" <serge@hallyn.com> · 2017-11-20
[PATCH v2 09/15] ima: introduce securityfs interfaces for digest lists · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 01/15] ima: generalize ima_read_policy() · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 02/15] ima: generalize ima_write_policy() · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 03/15] ima: generalize policy file operations · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 04/15] ima: use ima_show_htable_value to show hash table data · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 05/15] ima: add functions to manage digest lists · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 07/15] ima: add parser of compact digest list · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 08/15] ima: add parser of RPM package headers · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 10/15] ima: disable digest lookup if digest lists are not checked · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 11/15] ima: add policy action digest_list · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
Re: [PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS · "Serge E. Hallyn" <serge@hallyn.com> · 2017-11-18
[PATCH v2 13/15] evm: add kernel command line option to select protected xattrs · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 14/15] ima: add support for appraisal with digest lists · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
[PATCH v2 15/15] ima: add Documentation/security/IMA-digest-lists.txt · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Mimi Zohar <hidden> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Kees Cook <hidden> · 2017-11-17
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-17
Re: [PATCH v2 00/15] ima: digest list feature · Mimi Zohar <hidden> · 2017-11-17
Re: [PATCH v2 00/15] ima: digest list feature · Matthew Garrett <hidden> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Matthew Garrett <hidden> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-08
Re: [PATCH v2 00/15] ima: digest list feature · Matthew Garrett <hidden> · 2017-11-08
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-09
Re: [PATCH v2 00/15] ima: digest list feature · Matthew Garrett <hidden> · 2017-11-09
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-09
Re: [PATCH v2 00/15] ima: digest list feature · Matthew Garrett <hidden> · 2017-11-09
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-09
Re: [PATCH v2 00/15] ima: digest list feature · Mimi Zohar <hidden> · 2017-11-09
RE: [PATCH v2 00/15] ima: digest list feature · Safford, David (GE Global Research, US) <hidden> · 2017-11-07
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-11-08
Re: [PATCH v2 00/15] ima: digest list feature · Ken Goldman <hidden> · 2017-12-05
Re: [PATCH v2 00/15] ima: digest list feature · Roberto Sassu <roberto.sassu@huawei.com> · 2017-12-06

From: Mimi Zohar <hidden>
Date: 2017-11-18 23:23:40
Also in: linux-fsdevel, linux-integrity, lkml

Hi Serge,

On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote:

On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote:

quoted

from a predefined position (/etc/ima/digest_lists/metadata), when rootfs
becomes available. Digest lists must be loaded before IMA appraisal is in
enforcing mode.

I'm sure there's a good reason for it, but this seems weird to me.
Why read it from a file on disk instead of accepting it through say
a securityfile write?

Assuming that the concept of a white list is something we want to
support, then at minimum the list needs to be signed and verified.
Instead of defining a new Kconfig pathname option, a securityfs file
could read it, like the IMA policy.

Mimi


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help