LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: prakhar srivastava <prsriva02@gmail.com>
Cc: linux-integrity@vger.kernel.org,
	inux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, ebiederm@xmission.com,
	vgoyal@redhat.com, Prakhar Srivastava <prsriva@microsoft.com>
Subject: Re: [PATCH 1/3 v5] add a new ima hook and policy to measure the cmdline
Date: Tue, 14 May 2019 10:36:54 -0400	[thread overview]
Message-ID: <1557844614.4139.47.camel@linux.ibm.com> (raw)
In-Reply-To: <CAEFn8qJNzG5scBcdVbrXpY7ZEbku+yNbMZn3M=JUW8nNZbGKoQ@mail.gmail.com>


> > > +{
> > > +
> > > +     if (action & IMA_MEASURE)
> > > +             ret = ima_store_template(entry, violation, NULL, buf, pcr);
> > > +
> > > +     if (action & IMA_AUDIT)
> > > +             ima_audit_measurement(iint, event_data.filename);
> >
> > The cover letter and patch description say this patch set is limited
> > to measuring the boot command line - IMA-measurement.
> >  ima_audit_measurement() adds file hashes in the audit log, which can
> > be used for security analytics and/or forensics.  This is part of IMA-
> > audit.  The call to ima_audit_measurement() is inappropriate.
> >
> To clarify, in one of the previous versions you mentioned it
> might be helpful to add audit.

The original question was whether the kexec command line should ONLY
be measured.  That decision impacts whether a new function
(process_buffer_measurement) is needed or whether you should still
call process_measurement().

> I might have misunderstood you, but i will remove the
> audit_measurement and make other corrections.
> Thankyou for your feedback.

Even if it was agreed that you were adding the ability to measure and
audit the kexec boot command line, the cover letter, the patch
descriptions and the patches themselves would need to reflect that.
 The call to ima_audit_measurement() would not be hidden like this,
but included as a separate patch.

Mimi





  reply	other threads:[~2019-05-14 14:37 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-10 22:37 [PATCH 0/3 v5] Kexec cmdline bufffer measure Prakhar Srivastava
2019-05-10 22:37 ` [PATCH 1/3 v5] add a new ima hook and policy to measure the cmdline Prakhar Srivastava
2019-05-13 16:56   ` Mimi Zohar
2019-05-14  4:53     ` prakhar srivastava
2019-05-14 14:36       ` Mimi Zohar [this message]
2019-05-10 22:37 ` [PATCH 2/3 v5] add a new template field buf to contain the buffer Prakhar Srivastava
2019-05-13 13:48   ` Roberto Sassu
2019-05-14  5:07     ` prakhar srivastava
2019-05-14 13:22       ` Roberto Sassu
2019-05-17 23:32         ` prakhar srivastava
2019-05-20 12:18           ` Roberto Sassu
2019-05-10 22:37 ` [PATCH 3/3 v5] call ima_kexec_cmdline from kexec_file_load path Prakhar Srivastava
2019-05-14 14:46   ` Mimi Zohar
  -- strict thread matches above, loose matches on Subject: below --
2019-05-10 22:32 [PATCH 0/3 v5] Kexec cmdline bufffer measure Prakhar Srivastava
2019-05-10 22:32 ` [PATCH 1/3 v5] add a new ima hook and policy to measure the cmdline Prakhar Srivastava

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1557844614.4139.47.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=ebiederm@xmission.com \
    --cc=inux-security-module@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=prsriva02@gmail.com \
    --cc=prsriva@microsoft.com \
    --cc=vgoyal@redhat.com \
    --subject='Re: [PATCH 1/3 v5] add a new ima hook and policy to measure the cmdline' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).