On Wed, 15 Nov 2017, Patrick Ohly wrote: > I have some experience with SMACK, but not with Apparmor. At least with > SMACK the problem is that the LSM depends on integrity protection of > the xattrs, but the integrity protection itself depends on the LSM, so > there's a cycle. An attacker can much too easily make offline changes > which then defeat whatever IMA policy the system might be using. Isn't this what EVM is supposed to mitigate? Can you explain the offline attack in this scenario? -- James Morris <james.l.morris@xxxxxxxxxx>
