Hi! > >How is it supposed to be useful? > > > >I'm pretty sure there are critical data that are not measured by > >proposed module... and that are written under normal circumstances. > > > The goal of this series is to introduce the IMA hook > measure_critical_data() and the necessary policies to use it; and > illustrate that use with one example (SELinux). It is not scalable to > identify and update all the critical data sources to use the proposed > module at once. > > A piecemeal approach to add more critical data measurement in subsequent > patches would be easy to implement and review. Basically every other data structure in kernel is "critical" by your definition, and you can't really measure them all; some of them change rather often. Going piecemeal does not really help here. Example of critical data structure: page table entries for process I own. Best regards, Pavel -- http://www.livejournal.com/~pavelmachek
Attachment:
signature.asc
Description: Digital signature