Re: [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2019-05-02 at 15:37 -0700, Matthew Garrett wrote:
> On Thu, May 2, 2019 at 1:25 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > Suppose instead of re-using the "d-ng" for the vfs hash, you defined a
> > new field named d-vfs.  Instead of the "ima-ng" or "d-ng|n-ng", the
> > template name could be "d-vfs|n-ng".
> 
> Is it legitimate to redefine d-ng such that if the hash comes from the
> filesystem it adds an additional prefix? This will only occur if the
> admin has explicitly enabled the trusted_vfs option, so we wouldn't
> break any existing configurations. Otherwise, I'll look for the
> cleanest approach for making this dynamic.

I would assume modifying d-ng would break existing attestation
servers.

Perhaps instead of making the template format dynamic based on fields,
as I suggested above, define a per policy rule template format option.

Mimi




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux