Re: [PATCH] 3 of 5 IMA: LSM-based measurement code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting James Morris ([email protected]):
> On Wed, 15 Jun 2005, Reiner Sailer wrote:
> 
> > This patch applies against linux-2.6.12-rc6-mm1 and provides the main
> > Integrity Measurement Architecture code (LSM-based).
> 
> Why are you still trying to use LSM for this?

A long, long time ago, Crispin defined LSM's purpose as:

>> Main goal : we have to design a generic framework to be able to use
>> better
>> security policies than the current ones (DAC and capabilities).
>
>Sort of. We have to design a generic interface that exports enough
>kernel
>functionality to allow security developers to go off and create these
>better
>security policy modules. 

Since IMA provides support for a new type of security policy,
specifically remote system integrity verification, I don't see
where LSM shouldn't necessarily be used.

I'm also curious about the current kernel development approach:
On the one hand, when filesystem auditing was introduced, Christoph
asked whether inotify and audit should be merged because they hook
some of the same places.  Can someone reconcile these points of view
for me, please?  If Reiner goes ahead and moves the IMA code straight
into the kernel, does anyone doubt that he'll be asked to merge it
with LSM?

I'm not pushing one way or the other - I don't care whether IMA is
an LSM or not :)  I just don't understand the current climate.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux