Hi Serge, On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote: > On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote: > > from a predefined position (/etc/ima/digest_lists/metadata), when rootfs > > becomes available. Digest lists must be loaded before IMA appraisal is in > > enforcing mode. > > I'm sure there's a good reason for it, but this seems weird to me. > Why read it from a file on disk instead of accepting it through say > a securityfile write? Assuming that the concept of a white list is something we want to support, then at minimum the list needs to be signed and verified. Instead of defining a new Kconfig pathname option, a securityfs file could read it, like the IMA policy. Mimi
