On Do, 30.12.21 13:04, Fedora Development ML (devel@xxxxxxxxxxxxxxxxxxxxxxx) wrote: > > From: Zbigniew Jędrzejewski-Szmek [mailto:zbyszek@xxxxxxxxx] > > Sent: Thursday, December 30, 2021 1:02 PM > > The gist of the proposal is described thus: > > > The new feature behaves as follows. A modified kernel with the DIGLIM > > > patches will expose to user space an interface to add/remove file > > > digests from the kernel hash table. A user space parser, executed by > > > the kernel during early boot, parses RPM headers found in /etc/diglim > > > in the initial ram disk (included with a custom dracut script) and > > > uploads them to the kernel. When a file is accessed, IMA calculates > > > the file digest and queries it with DIGLIM. If the digest is found, > > > measurement is skipped and appraisal is successful. If the digest is > > > not found, a measurement of the file is performed and appraisal fails. > > > When packages are installed or removed, the kernel hash table is kept > > > synchronized with a new rpm plugin. > > > > This description is … short. > > I saw you asked more questions below. I will answer there. > > > > A user space parser, executed by the kernel during early boot > > > > Is it really executed by the kernel? This description makes it sound > > like a special old-hotplug-helper-style program that is spawned directly > > by the kernel. > > Yes, it must be executed before init, otherwise the kernel > would refuse to execute it. And probably, it must be executed > earlier than now, as I'm seeing that the kmod binary is being > executed (with the same mechanism, user-mode helper) before > the digest lists are uploaded to the kernel. Wouldn't it make more sense to push the digest lists into the kernel by simpler means, before any userspace runs? e.g. just pick it up from some fixed path in the file system, directly from the kernel, like the firmware is picked up, or the ACPI DSDT tables are picked up. That way you can just compile the digest lists trivially into a cpio you pass as extra initrd to the kernel, and things will just work without "uploading", without happing any intermediary userspace process around that needs to run to upload anything... They'd be available from the first moment on, from kernel code, without any userspace interfering. Static linking is a mess. User-mode helper is an atrocity: no new kernel callouts should be introduced these days, that bypass userspace service management, that are not properly sorted into a cgroup and so on. It all sounds to me as if this *really* isn't thought to the end, and should not be adopted this way... Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
