Re: [PATCH RFC 0/4] IMA on NFS prototype

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2019-02-19 at 22:51 -0500, Chuck Lever wrote:
> > On Feb 19, 2019, at 7:36 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > 
> > Hi Chuck,
> > 
> >> EVM is not supported in this prototype. NFS does not support several
> >> of the xattrs that are protected by EVM: SMACK64, Posix ACLs, and
> >> Linux file capabilities are not supported, which makes EVM more
> >> difficult to support on NFS mounts.
> > 
> > There's no requirement for all of these xattrs to exist.  If an xattr
> > does exist, then it is included in the security.evm hmac/signature.
> 
> Understood. The issue is that if they exist on a file residing on an NFS server,
> such xattrs would not be visible to clients. My understanding is that then EVM
> verification would fail on such files on NFS clients.
> 
> We could possibly make EVM work in limited scenarios until such time that
> the NFS protocol can make those xattrs available to NFS clients. I hope that
> having only security.ima is useful at least for experimenting and maybe more.
> 
> However, if folks think having security.evm also is needed, that is straight-
> forward... just saying that there are currently other limits in NFS that make a
> full EVM implementation problematic.

Thank you for the explanation.  Yes, I think there is a benefit of
having a file signature, without EVM.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux