On Thu, 2019-05-02 at 15:37 -0700, Matthew Garrett wrote: > On Thu, May 2, 2019 at 1:25 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Suppose instead of re-using the "d-ng" for the vfs hash, you defined a > > new field named d-vfs. Instead of the "ima-ng" or "d-ng|n-ng", the > > template name could be "d-vfs|n-ng". > > Is it legitimate to redefine d-ng such that if the hash comes from the > filesystem it adds an additional prefix? This will only occur if the > admin has explicitly enabled the trusted_vfs option, so we wouldn't > break any existing configurations. Otherwise, I'll look for the > cleanest approach for making this dynamic. I would assume modifying d-ng would break existing attestation servers. Perhaps instead of making the template format dynamic based on fields, as I suggested above, define a per policy rule template format option. Mimi
