On Thu, 2021-12-02 at 08:41 -0500, Stefan Berger wrote:
> On 12/2/21 07:46, James Bottomley wrote:
> > On Tue, 2021-11-30 at 11:06 -0500, Stefan Berger wrote:
> > > Move measurement list related variables into the ima_namespace.
> > > This
> > > way a
> > > front-end like SecurityFS can show the measurement list inside an
> > > IMA
> > > namespace.
> > >
> > > Implement ima_free_measurements() to free a list of measurements
> > > and call it when an IMA namespace is deleted.
> > This one worries me quite a lot. What seems to be happening in
> > this
> > code:
> >
> > > @@ -107,7 +100,7 @@ static int ima_add_digest_entry(struct
> > > ima_namespace *ns,
> > > qe->entry = entry;
> > >
> > > INIT_LIST_HEAD(&qe->later);
> > > - list_add_tail_rcu(&qe->later, &ima_measurements);
> > > + list_add_tail_rcu(&qe->later, &ns->ima_measurements);
> > >
> > > atomic_long_inc(&ns->ima_htable.len);
> > > if (update_htable) {
> > >
> > is that we now only add the measurements to the namespace list, but
> > that list is freed when the namespace dies. However, the
> > measurement
> > is still extended through the PCRs meaning we have incomplete
> > information for a replay after the namespace dies?
>
> *Not at all.* The measurement list of the namespace is independent
> of
> the host.
>
> The cover letter states:
I get that the host can set up a policy to log everything in the
namespace, but that wasn't my question. My question is can the guest
set up a policy to log something that doesn't go into the host log
(because the host hasn't asked for it to be logged) but extends a PCR
anyway, thus destroying the ability of the host to do log replay.
James
