Hi Raphael, Sorry I missed the reply. I'm not working on this right now, feel free to grab. Please copy me with the results, thank you. -- Janne On Tue, Aug 18, 2020 at 12:30 AM Raphael Gianotti <raphgi@xxxxxxxxxxxxxxxxxxx> wrote: > > > Hi Janne, > > Subject: Re: [RFC] ima: export the measurement list when needed > > Date: Wed, 18 Dec 2019 17:11:22 +0200 > > From: Janne Karhunen <janne.karhunen@xxxxxxxxx> > > To: linux-integrity@xxxxxxxxxxxxxxx, Mimi Zohar <zohar@xxxxxxxxxxxxx> > > CC: Ken Goldman <kgold@xxxxxxxxxxxxx>, david.safford@xxxxxxxxx, > > monty.wiseman@xxxxxx > > > > Hi, > > > > Have in mind that below is the first trial draft that booted and > > seemingly accomplished the task once, it was not really tested at all > > yet. I will make a polished and tested version if people like the > > concept. > > > > Note that the code (almost) supports pushing and pulling of the > > entries. This variant is a simple pull given that the list size is > > above the defined limits. Pushing can be put in place if the recursion > > with the list extend_list_mutex is cleared, maybe this could be done > > via another patch later on when we have a workqueue for the export > > task? The workqueue might be the best context for the export job since > > clearing the list is a heavy operation (and it's not entirely correct > > here AFAIK, there is no rcu sync before the template free). > > > > > > -- Janne > > > > On Wed, Dec 18, 2019 at 2:53 PM Janne Karhunen > > <janne.karhunen@xxxxxxxxx> wrote: > >> > >> Some systems can end up carrying lots of entries in the ima > >> measurement list. Since every entry is using a bit of kernel > >> memory, add a new Kconfig variable to allow the sysadmin to > >> define the maximum measurement list size and the location > >> of the exported list. > >> > >> The list is written out in append mode, so the system will > >> keep writing new entries as long as it stays running or runs > >> out of space. File is also automatically truncated on startup. > >> > >> Signed-off-by: Janne Karhunen <janne.karhunen@xxxxxxxxx> > >> --- > >> security/integrity/ima/Kconfig | 10 ++ > >> security/integrity/ima/ima.h | 7 +- > >> security/integrity/ima/ima_fs.c | 178 +++++++++++++++++++++++++++++ > >> security/integrity/ima/ima_queue.c | 2 +- > >> 4 files changed, 192 insertions(+), 5 deletions(-) > > I've been looking into a solution to this same issue you started some > work on. I was wondering if you are still working on it. I was > considering taking your initial prototyping on this and extending it > into a final solution, but I wanted to reply here first and check if you > are currently working on this. >
