Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status

[PATCH v2 0/3] ima/evm fixes for v5.2 · Roberto Sassu <roberto.sassu@huawei.com> · 2019-05-29
[PATCH v2 1/3] evm: check hash algorithm passed to init_desc() · Roberto Sassu <roberto.sassu@huawei.com> · 2019-05-29
Re: [PATCH v2 1/3] evm: check hash algorithm passed to init_desc() · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-30
[PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Roberto Sassu <roberto.sassu@huawei.com> · 2019-05-29
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-30
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Roberto Sassu <roberto.sassu@huawei.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Chuck Lever <hidden> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Roberto Sassu <roberto.sassu@huawei.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · Roberto Sassu <roberto.sassu@huawei.com> · 2019-06-03
Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status · James Bottomley <James.Bottomley@HansenPartnership.com> · 2019-06-04
[PATCH v2 3/3] ima: show rules with IMA_INMASK correctly · Roberto Sassu <roberto.sassu@huawei.com> · 2019-05-29
Re: [PATCH v2 3/3] ima: show rules with IMA_INMASK correctly · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-30

From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: 2019-06-04 08:57:26
Also in: linux-doc, linux-integrity, lkml, stable

On Mon, 2019-06-03 at 16:44 +0200, Roberto Sassu wrote:

On 6/3/2019 4:31 PM, James Bottomley wrote:

quoted

On Mon, 2019-06-03 at 16:29 +0200, Roberto Sassu wrote:

[...]

quoted

How would you prevent root in the container from updating
security.ima?

We don't.  We only guarantee immutability for unprivileged
containers, so root can't be inside.

Ok.

Regarding the new behavior, this must be explicitly enabled by adding
ima_appraise=enforce-evm or log-evm to the kernel command line.
Otherwise, the current behavior is preserved with this patch. Would
this be ok?

Sure, as long as it's an opt-in flag, meaning the behaviour of my
kernels on physical cloud systems doesn't change as I upgrade them, I'm
fine with that.

James

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help