Re: [RFC] [Patch 1/1] IBAC Patch
From: Serge E. Hallyn
Date: Fri Mar 09 2007 - 10:08:27 EST
Quoting Valdis.Kletnieks@xxxxxx (Valdis.Kletnieks@xxxxxx):
> On Thu, 08 Mar 2007 17:58:16 EST, Mimi Zohar said:
> > This is a request for comments for a new Integrity Based Access
> > Control(IBAC) LSM module which bases access control decisions
> > on the new integrity framework services.
> >
> > (Hopefully this will help clarify the interaction between an LSM
> > module and LIM module.)
>
> OK, between this and the additional LIM hooks I didn't notice in an earlier
> patch, we're starting to see the API. The only problem is that although
> it may be the right API for *your* code, I suspect it's a non-starter without
> a discussion about whether it's the right *generic* API for an LIM (which will
> require at least one dramatic bun fight about what "Integrity" means).
Casey's earlier message suggested this too. 'Integrity' here in
particular does not mean online integrity guarantees through, i.e.,
information flow control. So perhaps instead of 'integrity' we should
make sure to always say 'integrity measurement'. Of course then there
is already the 'integrity measurement architecture' which is only one
implementation of a LIM module, right? So it would need to be renamed
to TIMA (TPM-enabled IMA) or something I guess.
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/