On Wed, 2017-12-13 at 10:30 +1100, Dave Chinner wrote: > On Tue, Dec 12, 2017 at 10:04:56AM -0500, Mimi Zohar wrote: > > On Tue, 2017-12-12 at 06:36 -0800, Christoph Hellwig wrote: > > > On Tue, Dec 12, 2017 at 09:34:56AM -0500, Mimi Zohar wrote: > > > > On Tue, 2017-12-12 at 06:26 -0800, Christoph Hellwig wrote: > > > > > On Tue, Dec 12, 2017 at 09:21:09AM -0500, Mimi Zohar wrote: > > > > > > Move the XFS_SB_MAGIC definition to magic.h. > > > > > > > > > > NACK. We want to keep the XFS code self-contained and no other part > > > > > of the kernel has any business knowing it anyway. > > > > > > > > IMA policy rules can be defined in terms of magic numbers, but they > > > > need to be defined in magic.h. Please reconsider... > > > > > > That is completely bogus, and it should not be supported in any way. > > > File systems magic numbers are internal implementation details. > > > > Perhaps policies in general shouldn't differentiate between file > > systems, but it definitely simplifies testing. > > How does specifying a filesystem type in a generic layer's policy > implementation help testing? Based on file system, I could differentiate which files need to be signed. For example, the root file system might require files signatures only on executables, while for other file systems all files could require signatures. > > For example, currently IMA-appraisal only supports storing file > > signatures as xattrs, but support for appended signatures is being > > added. Per file system rules could require different types of file > > signatures. > > What's an "appended signature", and why is the filesystem > independent xattr interface insufficient for storing this > information? Unfortunately, not all filesystems support xattrs (eg. cpio/initramfs). In some cases, like kexec kernel image and initramfs, having an attached signatures simplifies network boot. scripts/sign-file is used to append a file signature to kernel modules. This same script could be used for signing other files, like the kexec kernel image and initramfs. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
