On Sat, 2022-12-24 at 17:09 +0100, Enrico Bravi wrote: > Created new ima template ima-dep-cgn (dep|cgn|d-ng|n-ng) based on two > new fields: > - dep: list of dependencies of the process that generated > the measurement event. It is the concatenation, > column separated, of the execuatble's paths of all > ancestors of a specific task. > For processes belonging to containers, the dependecies list > contains the shim process that manages the container > lifecylcle. This ensures that a specifc process is > containerized. > - cgn: the subsys_id=1 cgroup name (cgroup_name()) of the process > that generated the measurement event. > In the case of conainerized processes this field contains the > full identifier assigned by the container runtime to the > specific container the process is executed in. This allows a > verifier to easily identify the the measurements related to a > specific container. > > This template permits to separately attest the host system and each specific > container. The goal of this patch is fine, but more details need to be provided. For example, please include sample measurement rules here in the patch description or in the cover letter with the associated sample output. An ima-evm-utils test, based on the github next-testing branch, would be much appreciated. thanks, Mimi
