On Thu, Jul 11, 2013 at 11:45:34AM -0400, Steve Grubb wrote: > On Thursday, July 11, 2013 10:33:05 AM Vivek Goyal wrote: > > Secondly, there are disagreements upstream w.r.t how locking down > > executable should happen. IMA folks want some functionality behind > > security hooks (as opposed to what I have done). So I am expecting > > that once patches do get merged upstream, they might be in little > > different shape altogether. > > I don't know if the average person has played with IMA. It hashes all files > being accessed depending on its policy. This is CPU intensive and will cause > the system fans to run faster and the system uses more power. It also runs > slower because of all the time spent hashing files. I reported this to upstream > IMA developers a while back. I doubt anything has changed. This overhead shows up only one loads an IMA policy to do so. In my case I have exported some appraisal functions from IMA code so these can be directly called by other kernel components. And I call these functions from elf loader code. That way, in regular configuration no hashing of all the files will take place. Executables will be hashed only if they are signed and only if user has asked to run executable locked down in memory. (I have created a way so that in security.ima attribute one can put additional info to run executable locked down in memory). So we just need to enable IMA but for regular users I am not expecting any significant overhead to show up. It will show up only if users choose to load some IMA policy in the system. Thanks Vivek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
