Hi Janne,
Subject: Re: [RFC] ima: export the measurement list when needed
Date: Wed, 18 Dec 2019 17:11:22 +0200
From: Janne Karhunen <janne.karhunen@xxxxxxxxx>
To: linux-integrity@xxxxxxxxxxxxxxx, Mimi Zohar <zohar@xxxxxxxxxxxxx>
CC: Ken Goldman <kgold@xxxxxxxxxxxxx>, david.safford@xxxxxxxxx,
monty.wiseman@xxxxxx
Hi,
Have in mind that below is the first trial draft that booted and
seemingly accomplished the task once, it was not really tested at all
yet. I will make a polished and tested version if people like the
concept.
Note that the code (almost) supports pushing and pulling of the
entries. This variant is a simple pull given that the list size is
above the defined limits. Pushing can be put in place if the recursion
with the list extend_list_mutex is cleared, maybe this could be done
via another patch later on when we have a workqueue for the export
task? The workqueue might be the best context for the export job since
clearing the list is a heavy operation (and it's not entirely correct
here AFAIK, there is no rcu sync before the template free).
-- Janne
On Wed, Dec 18, 2019 at 2:53 PM Janne Karhunen
<janne.karhunen@xxxxxxxxx> wrote:
Some systems can end up carrying lots of entries in the ima
measurement list. Since every entry is using a bit of kernel
memory, add a new Kconfig variable to allow the sysadmin to
define the maximum measurement list size and the location
of the exported list.
The list is written out in append mode, so the system will
keep writing new entries as long as it stays running or runs
out of space. File is also automatically truncated on startup.
Signed-off-by: Janne Karhunen <janne.karhunen@xxxxxxxxx>
---
security/integrity/ima/Kconfig | 10 ++
security/integrity/ima/ima.h | 7 +-
security/integrity/ima/ima_fs.c | 178 +++++++++++++++++++++++++++++
security/integrity/ima/ima_queue.c | 2 +-
4 files changed, 192 insertions(+), 5 deletions(-)
I've been looking into a solution to this same issue you started some
work on. I was wondering if you are still working on it. I was
considering taking your initial prototyping on this and extending it
into a final solution, but I wanted to reply here first and check if you
are currently working on this.
