Re: [PATCH] 3 of 5 IMA: LSM-based measurement code

From: Chris Wright
Date: Wed Jun 15 2005 - 16:11:38 EST

Next message: Steven Rostedt: "Re: [BUG] Race condition with it_real_fn in kernel/itimer.c"
Previous message: Dave Hansen: "Re: [RFC] Linux memory error handling"
In reply to: serue: "Re: [PATCH] 3 of 5 IMA: LSM-based measurement code"
Next in thread: serue: "Re: [PATCH] 3 of 5 IMA: LSM-based measurement code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* serue@xxxxxxxxxx (serue@xxxxxxxxxx) wrote:
> Since IMA provides support for a new type of security policy,
> specifically remote system integrity verification, I don't see
> where LSM shouldn't necessarily be used.
>
> I'm also curious about the current kernel development approach:
> On the one hand, when filesystem auditing was introduced, Christoph
> asked whether inotify and audit should be merged because they hook
> some of the same places. Can someone reconcile these points of view
> for me, please? If Reiner goes ahead and moves the IMA code straight
> into the kernel, does anyone doubt that he'll be asked to merge it
> with LSM?

The primary purpose of the hooks is access control. Some of them, of
course, are helpers to keep labels coherent. IIRC, James objected
because the measurement data was simply collected from these hooks.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Steven Rostedt: "Re: [BUG] Race condition with it_real_fn in kernel/itimer.c"
Previous message: Dave Hansen: "Re: [RFC] Linux memory error handling"
In reply to: serue: "Re: [PATCH] 3 of 5 IMA: LSM-based measurement code"
Next in thread: serue: "Re: [PATCH] 3 of 5 IMA: LSM-based measurement code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]