Re: [PATCH v2 2/3] ima: don't ignore INTEGRITY_UNKNOWN EVM status

From: James Bottomley
Date: Tue Jun 04 2019 - 05:01:18 EST


On Mon, 2019-06-03 at 16:44 +0200, Roberto Sassu wrote:
> On 6/3/2019 4:31 PM, James Bottomley wrote:
> > On Mon, 2019-06-03 at 16:29 +0200, Roberto Sassu wrote:
[...]
> > > How would you prevent root in the container from updating
> > > security.ima?
> >
> > We don't. We only guarantee immutability for unprivileged
> > containers, so root can't be inside.
>
> Ok.
>
> Regarding the new behavior, this must be explicitly enabled by adding
> ima_appraise=enforce-evm or log-evm to the kernel command line.
> Otherwise, the current behavior is preserved with this patch. Would
> this be ok?

Sure, as long as it's an opt-in flag, meaning the behaviour of my
kernels on physical cloud systems doesn't change as I upgrade them, I'm
fine with that.

James