On Mon, Jun 15, 2020 at 7:57 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > I think I mentioned this on a previous version of these patches, but I > would recommend including more than just the enabled and enforcing > states in your measurement. Other low-hanging fruit would be the > other selinux_state booleans (checkreqprot, initialized, > policycap[0..__POLICYDB_CAPABILITY_MAX]). Going a bit further one > could take a hash of the loaded policy by using security_read_policy() On second thought, you probably a variant of security_read_policy() since it would be a kernel-internal allocation and thus shouldn't use vmalloc_user(). > and then computing a hash using whatever hash ima prefers over the > returned data,len pair. You likely also need to think about how to > allow future extensibility of the state in a backward-compatible > manner, so that future additions do not immediately break systems > relying on older measurements.
