Re: [PATCH v6 8/8] selinux: measure state and hash of the policy using IMA

[Lakshmi Ramasubramanian]

On 11/20/20 7:49 AM, Mimi Zohar wrote:
Hi Mimi,

> On Thu, 2020-11-19 at 15:26 -0800, Tushar Sugandhi wrote:
> > From: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
> >
> > IMA measures files and buffer data such as keys, command line arguments
> > passed to the kernel on kexec system call, etc. While these measurements
> > enable monitoring and validating the integrity of the system, it is not
> > sufficient.
>
> The above paragraph would make a good cover letter introduction.

Agreed - will add this paragraph to the cover letter as well.

> > In-memory data structures maintained by various kernel
> > components store the current state and policies configured for
> > the components.
>
> Various data structures, policies and state stored in kernel memory
> also impact the  integrity of the system.

Will update.

> The 2nd paragraph could provide examples of such integrity critical
> data.

Will do.

> This patch set introduces a new IMA hook named
> ima_measure_critical_data() to measure kernel integrity critical data.

*Question*
I am not clear about this one - do you mean add the following line in 
the patch description for the selinux patch?

"This patch introduces the first use of the new IMA hook namely 
ima_measures_critical_data() to measure the integrity critical data for 
SELinux"

thanks,
 -lakshmi