RE: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

From: Magalhaes, Guilherme (Brazil R&D-CL)
Date: Fri Jul 28 2017 - 10:20:25 EST


> > Each measurement entry in the list could have new fields to identify
> > the namespace. Since the namespaces can be reused, a timestamp or
> > others fields could be added to uniquely identify the namespace id.
>
> The more fields included in the measurement list, the more
> measurements will be added to the measurement list. Wouldn't it be
> enough to know that a certain file has been accessed/executed on the
> system and base any analytics/forensics on the IMA-audit data.

With the recursive application of policy through the namespace hierarchy,
a measurement added to the parent namespace could be misleading since
the file pathname makes sense in the current namespace but possibly not
for the parent namespace. This is the reason why I believe some new field
might be needed in the IMA template format to indicate or uniquely
identify the namespace.

--
Guilherme