Re: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

[Mimi Zohar]

On Fri, 2017-07-28 at 14:19 +0000, Magalhaes, Guilherme (Brazil R&D-
CL) wrote:
> > > Each measurement entry in the list could have new fields to identify
> > > the namespace. Since the namespaces can be reused, a timestamp or
> > > others fields could be added to uniquely identify the namespace id.
> > 
> > The more fields included in the measurement list, the more
> > measurements will be added to the measurement list.  Wouldn't it be
> > enough to know that a certain file has been accessed/executed on the
> > system and base any analytics/forensics on the IMA-audit data.
> 
> With the recursive application of policy through the namespace hierarchy,
> a measurement added to the parent namespace could be misleading since 
> the file pathname makes sense in the current namespace but possibly not
> for the parent namespace.

Fair enough.

> This is the reason why I believe some new field
> might be needed in the IMA template format to indicate or uniquely 
> identify the namespace.

I would probably include information to uniquely identify the file
(eg. UUID, mountpoint), not the namespace.
Â
Mimi