Re: [PATCH v5 3/7] IMA: add hook to measure critical data
From: Mimi Zohar
Date: Thu Nov 12 2020 - 18:57:00 EST
Hi Tushar,
On Thu, 2020-11-12 at 13:57 -0800, Tushar Sugandhi wrote:
> >> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> >> index 4485d87c0aa5..6e1b11dcba53 100644
> >> --- a/security/integrity/ima/ima_main.c
> >> +++ b/security/integrity/ima/ima_main.c
> >> @@ -921,6 +921,44 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
> >> fdput(f);
> >> }
> >>
> >> +/**
> >> + * ima_measure_critical_data - measure kernel subsystem data
> >> + * critical to integrity of the kernel
> >
> > Please change this to "measure kernel integrity critical data".
> >
> *Question*
> Thanks Mimi. Do you want us just to update the description, or do you
> want us to update the function name too?
Just the description.
>
> I believe you meant just description, but still want to clarify.
>
> ima_measure_kernel_integrity_critical_data() would be too long.
> Maybe ima_measure_integrity_critical_data()?
>
> Or do you want us to keep the existing ima_measure_critical_data()?
> Could you please let us know?
>
> >> + * @event_data_source: name of the data source being measured;
> >> + * typically it should be the name of the kernel subsystem that is sending
> >> + * the data for measurement
> >
> > Including "data_source" here isn't quite right. "data source" should
> > only be added in the first patch which uses it, not here. When adding
> > it please shorten the field description to "kernel data source". The
> > longer explanation can be included in the longer function description.
> >
> *Question*
> Do you mean the parameter @event_data_source should be removed from this
> patch? And then later added in patch 7/7 – where SeLinux uses it?
Data source support doesn't belong in this patch. Each patch should do
one logical thing and only that one thing. This patch is adding
support for measuring critical data. The data source patch will limit
the critical data being measured.
Other than updating the data source list in the documentation,
definitely do not add data source support to the SELinux patch.
thanks,
Mimi