Re: [Linux-ima-user] measurereq replacement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> Unfortunately, our target device uses ymfs2 as its file system (android 
> specific) which does not supports extended attributes/labels. I know 
> that there is a patch for this used/provided by selinux. But for my 
> feeling this is in a way not the cleanest solution.
> 
> Is there another way to use IMA for individual files without labels?
> 
> nicolai

Currently there is no other way to designate specific files to 
measure, and I'm not sure how else would you do it.

When IMA is deciding whether or not to measure an inode, it has context
information (including requesting uid and subject information), and the
inode information (including owner and extended attributes). That's all
an IMA policy has to make the decision. If you want to be able to measure
an arbitrary set of files, the filesystem attributes are the right
place to indicate the selection.

It is tempting to put the selection into the policy somehow, but there
is no good way to do that. You can't put pathnames in the policy, and
even if you translated paths into inodes, the result would not be
scalable, and would have problems with creating and deleting files.
That's functionality that belongs in the filesystem.

You could try to use the new fanotify system to push the decision
up into a userspace database, but that would require an extension
to fanotify, and would likely be quite slow.

We are open to suggestions, but I don't see a good way to do selection
without labels.

dave