Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy

From: Lakshmi Ramasubramanian
Date: Tue Aug 04 2020 - 11:57:32 EST

Next message: Kai-Heng Feng: "[PATCH v3] ALSA: hda/hdmi: Add quirk to force connectivity"
Previous message: Alexandre Belloni: "Re: [PATCH v2 2/3] ARM: at91: pm: add per soc validation of pm modes"
In reply to: Stephen Smalley: "Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/4/20 8:29 AM, Stephen Smalley wrote:

Perhaps vmalloc would be better than using kmalloc? If there are better options for such large buffer allocation, please let me know.

kvmalloc() can be used to select whichever one is most appropriate.

Other option would be for ima to compute and save the hash(es) of the payload and not the payload itself for later use. I guess you won't know at that point which hash algorithm is desired?

I think IMA hash algorithm would be known at that point, but IMA policy is not loaded yet (which is why I need to queue up the buffer and process when policy is loaded).

I tried vmalloc and tested it with upto 16MB buffer (just made up a SELinux policy buffer of size 16MB) - that works fine.

I will try kvmalloc().

Also, I fixed the issue with LSM data not measured when using the IMA policy you had. Good catch.

Will post the updated patches today.

thanks,
-lakshmi

Next message: Kai-Heng Feng: "[PATCH v3] ALSA: hda/hdmi: Add quirk to force connectivity"
Previous message: Alexandre Belloni: "Re: [PATCH v2 2/3] ARM: at91: pm: add per soc validation of pm modes"
In reply to: Stephen Smalley: "Re: [PATCH v5 3/4] LSM: Define SELinux function to measure state and policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]