Menu
▾
▴
Re: [Linux-ima-user] copying files with security.ima xattr
|
From: Mimi Z. <zo...@li...> - 2016-11-15 14:39:10
|
On Tue, 2016-11-15 at 15:28 +0100, Patrick Ohly wrote: > On Thu, 2016-11-03 at 08:58 +0100, Patrick Ohly wrote: > > On Wed, 2016-11-02 at 09:47 -0400, Mimi Zohar wrote: > > > In order to revert the patch, we need to explain the reason for doing > > > so. Could you expand/update the two reasons given below? > > > > > > - Applications have been modified to write security xattrs, but they are > > > not necessarily context aware. In the case of security.ima, the > > > security xattr can be either a file hash or a file signature. > > > Permitting writing one, but not the other requires the application to be > > > context aware. > > > > > > - Applications write files to a staging area, which might not be in > > > policy, and then change some file metadata (eg owner) making it in > > > policy. As a result, these files are not labeled properly. > > > > That describes it well. > > Let's move this forward. Mimi, I'll send a patch to this list to keep > the discussion and the resulting code change in one place. Does that > work for you? > > The patch applies cleanly to your "next" branch in > git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity. I didn't forget. It's already queued in the #next-fixes branch with a couple of other fixes. 7bbebfd4f0fc Revert "ima: limit file hash setting by user to fix and log modes" Before moving them to the usual #next branch, I need to speak with Andrew Morton, who is carrying the IMA kexec patches. Sorry for the confusion! Mimi |
