Menu
▾
▴
Re: [Linux-ima-user] copying files with security.ima xattr
|
From: Patrick O. <pat...@in...> - 2016-11-15 14:28:22
|
On Thu, 2016-11-03 at 08:58 +0100, Patrick Ohly wrote: > On Wed, 2016-11-02 at 09:47 -0400, Mimi Zohar wrote: > > In order to revert the patch, we need to explain the reason for doing > > so. Could you expand/update the two reasons given below? > > > > - Applications have been modified to write security xattrs, but they are > > not necessarily context aware. In the case of security.ima, the > > security xattr can be either a file hash or a file signature. > > Permitting writing one, but not the other requires the application to be > > context aware. > > > > - Applications write files to a staging area, which might not be in > > policy, and then change some file metadata (eg owner) making it in > > policy. As a result, these files are not labeled properly. > > That describes it well. Let's move this forward. Mimi, I'll send a patch to this list to keep the discussion and the resulting code change in one place. Does that work for you? The patch applies cleanly to your "next" branch in git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. |
