Menu
▾
▴
Re: [Linux-ima-user] ima_collect_measurement() changes
|
From: Mimi Z. <zo...@li...> - 2013-02-25 16:17:26
|
On Mon, 2013-02-25 at 07:43 -0800, Peter Moody wrote: > No issues from me. Do you have any pointers on how something like this > would be configured? I don't think it would be a configuration issue so much. Without IMA-appraisal enabled, collection would remain the same as it today, using a single system defined hash algorithm. For those systems with IMA-appraisal enabled, the file hash/signature in 'security.ima' would contain the hash algorithm. Prior to collecting, or as part of collecting, we would need to pre-read the extended attribute to know which hash algorithm to use. Dmitry has some initial patches in his linux-digsig-working tree: d0b7a6a ima: read and use signature hash algorithm b16e2c9 ima: pass hash algo info to collecting functions 2868435 ima: remove xattr value from iint object These changes would affect the measurement lists. Some of the template patches could be resurrected to address these issues: ima: add template length to binary runtime measurement ima: add support for additional template hash algorithm ima: define ima nglong template ima: add LSM labels to the ima nglong template thanks, Mimi |
