On Tue, Dec 24, 2019 at 5:35 PM [off-list ref] wrote:

quoted

That is a good question. I went this way as it did not feel right to
me that the kernel would depend on periodic, reliable userspace
functionality to stay running (we would have a circular dependency).
The thing is, once the kernel starts to run low on memory, it may
kill
that periodic daemon flushing the data for reasons unrelated to IMA.

I'm happy with either way (kernel writing, or userspace reading) the
data, but with the v1 patch, there is no way for userspace to force
that the list be flushed - it only flushes on full. I think it is
important for userspace to be able to trigger a flush, such as just
prior to a kexec, or prior to an attestation.

Indeed, will add in v2.

Perhaps you could simply remove the length test in ima_export_list(),
and export anytime the filename is provided? This could simplify
attestation clients, which could ask for different files each time
(list.1, list.2...), for automatic log maintenance. Since the template
format does not have sequence numbers, this would also help keep
track which records have already been seen.

Yes, will do something like this. Holidays cause some latency here,
but I will send an update next week.


--
Janne