Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy

[PATCH v5 0/4] LSM: Measure security module data · Lakshmi Ramasubramanian <hidden> · 2020-07-30
[PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Casey Schaufler <casey@schaufler-ca.com> · 2020-07-30
Re: [PATCH v5 1/4] IMA: Add func to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
[PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-03
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-04
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-08-04
Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy · Lakshmi Ramasubramanian <hidden> · 2020-08-04
[PATCH v5 4/4] IMA: Handle early boot data measurement · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 4/4] IMA: Handle early boot data measurement · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 4/4] IMA: Handle early boot data measurement · Tyler Hicks <hidden> · 2020-07-30
[PATCH v5 2/4] IMA: Define IMA hooks to measure LSM state and policy · Lakshmi Ramasubramanian <hidden> · 2020-07-30
Re: [PATCH v5 2/4] IMA: Define IMA hooks to measure LSM state and policy · Tyler Hicks <hidden> · 2020-07-30

From: Lakshmi Ramasubramanian <hidden>
Date: 2020-08-04 15:57:32
Also in: linux-integrity, lkml, selinux

On 8/4/20 8:29 AM, Stephen Smalley wrote:

quoted

Perhaps vmalloc would be better than using kmalloc? If there are 
better options for such large buffer allocation, please let me know.

kvmalloc() can be used to select whichever one is most appropriate.

Other option would be for ima to compute and save the hash(es) of the 
payload and not the payload itself for later use.  I guess you won't 
know at that point which hash algorithm is desired?

I think IMA hash algorithm would be known at that point, but IMA policy 
is not loaded yet (which is why I need to queue up the buffer and 
process when policy is loaded).

I tried vmalloc and tested it with upto 16MB buffer (just made up a 
SELinux policy buffer of size 16MB) - that works fine.

I will try kvmalloc().

Also, I fixed the issue with LSM data not measured when using the IMA 
policy you had. Good catch.

Will post the updated patches today.

thanks,
  -lakshmi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help