Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1657435pxb;
        Thu, 4 Mar 2021 17:46:47 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxmiHVisoCjDhH9pxZ+cyPA55gNhFQFVprLEEYXyFRGpwPniEAQXn7OyXYKD4aM8O3u3M4H
X-Received: by 2002:a17:906:d8ca:: with SMTP id re10mr307293ejb.18.1614908807748;
        Thu, 04 Mar 2021 17:46:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614908807; cv=none;
        d=google.com; s=arc-20160816;
        b=sO+UOYutDoj1RJrAjLLuoBIhkqmcgIDgW0nWzeujrqT9edBTEmQ+ST88KSijEekOOF
         Jq7XcnvoWPGZ4/67GSLEND9fkuNeIk0G9vXu3lGDhR2OidmaRx3C4DhzJq4HgKyqSwzC
         oR3N2sD2UxRkaDdO9AnI6QeCoI3UfqLeVhkw9I6YpFuRpeRrYe99CZNGq1YPz1i+xwkR
         IvJL0MXQrRXqG0bKO2fw3gn6SpJS4gF9hgO0BOWeR71uU9KlFbLuSDy7NlXaa8vOg0aH
         5vh0Eae0sSAF9OdlBpjYhjNzfMe3SYKLGz/eOBKOuELIySPdzw2/547Cm7up1y6iaWcW
         7sSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=2jQAAzkMyDz9j2A6XfWMQGCSaoR8rT2Fso6F62ldjHg=;
        b=PfvcidJ8xeYz0jObl8EgbgngER2ZV7la3IA/K0lhPqW1G58NFAtywf2p0o8+OWCddL
         UYuPlD7Lt9bHWbsPITP+LFwxpHbdVYVfRjiM82hAXhUvHJww8M/AtvQErrQIg6P3Z/kc
         7pZgrtBqRZxm46IjfADY/svJj6bb5WmAKzDb0f3I56pVt7/c85M8o1CLkCXXgyXoQy4z
         Jtd7lfg3DDnUXXJfkagntmQhnMcK4tuImkaplLSOweZ7f0us/H+9NiNe36hrsfofgfOJ
         qvYTgvXMYbpkuPCuXAgXaC3uTNSKa8Q1bMZcnhPLhi+M5mq6qvM2WS5TewWllVp3KHv9
         w8AA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bDqeNAH8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n21si676778edv.569.2021.03.04.17.46.24;
        Thu, 04 Mar 2021 17:46:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bDqeNAH8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229500AbhCEBpz (ORCPT <rfc822;lvda1993@gmail.com> + 99 others);
        Thu, 4 Mar 2021 20:45:55 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40146 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229436AbhCEBpz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Mar 2021 20:45:55 -0500
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CBE3C061756
        for <linux-kernel@vger.kernel.org>; Thu,  4 Mar 2021 17:45:53 -0800 (PST)
Received: by mail-ej1-x632.google.com with SMTP id e19so435034ejt.3
        for <linux-kernel@vger.kernel.org>; Thu, 04 Mar 2021 17:45:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=2jQAAzkMyDz9j2A6XfWMQGCSaoR8rT2Fso6F62ldjHg=;
        b=bDqeNAH84+nJyInnN4WTMsRnjdw75/XreazONyhpvGLex+Q0RCII/NWn7wzQUSAu8j
         lfJAChB1VzlvI1Q739ir64e7tn437yxHNo41Jf5+Cne7k/vtuDrE15H749xSV7gv3Gji
         jaKUTTrWzJbIGqtcEOn0/3BBNGIQe6dvikIdNltDqGUVCYq0hyuxcaRZj9WQw/AIjL3s
         2AAz66ATU1T1wKPv/kTZKpbtcfeIfJHwZmmcxmBOssF5QwXTO6Prq1yh6i4/+WNJZIAm
         E6IfP/BFcuPxGprkW96zr4IHthYoFJETpE+7jIu5SpHvE1gJ9i87BH7TZ1tEpTTB63Vi
         Vyww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=2jQAAzkMyDz9j2A6XfWMQGCSaoR8rT2Fso6F62ldjHg=;
        b=RZfIXm4bElIZcGwOh5nK2MWKjHgBZHJ4TtSvNWwILCf6Gtiuvc0TAV0Jf2CUmnJ6jf
         lGfbvggBQCcmId22xe+sy6ah9p4ewPzzSJAG6CXVW6ijzd7z9mVC72RNLAO0bWgrp0oH
         faFpvmFYIwx8/TxMtyxsQzb5mvBseBjIRWuPPRUqG4hNjEIQ+7JLuLkSkhiR4tkMp2Dt
         uhnN0UmfMOa2LiQKIeQPMzMvxZJp9FJeo03jvzAnGtYC+M5Ajm+c2dIYtfoGoyV3mIy7
         WHpr2X7ECPBOw93QajNnnlMb9xBrunfXc+p2aSJsqZ8Io0N8d5B6xAaVhZ5yfWmHB5lT
         UhyQ==
X-Gm-Message-State: AOAM530s2cebtNxiCZ6LCkw6fACqYv7KCMkpwTIuk4SRdAQuD82IZkub
        FtrBRq6few9bU7DKKWBHVbeks1huohd8IUK/offK
X-Received: by 2002:a17:906:2bd6:: with SMTP id n22mr271467ejg.91.1614908752118;
 Thu, 04 Mar 2021 17:45:52 -0800 (PST)
MIME-Version: 1.0
References: <20210212163709.3139-1-nramas@linux.microsoft.com> <87273030-2303-e791-4e5d-25373faf0880@linux.microsoft.com>
In-Reply-To: <87273030-2303-e791-4e5d-25373faf0880@linux.microsoft.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 4 Mar 2021 20:45:41 -0500
Message-ID: <CAHC9VhT4pnsFTL3N8pZgrgpqzgCU+Odd4V=SGvTA9QcKAGwasw@mail.gmail.com>
Subject: Re: [PATCH v3] selinux: measure state and policy capabilities
To:     Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc:     zohar@linux.ibm.com,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        tusharsu@linux.microsoft.com, tyhicks@linux.microsoft.com,
        casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com,
        gmazyland@gmail.com, sashal@kernel.org,
        James Morris <jmorris@namei.org>,
        linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 4, 2021 at 2:20 PM Lakshmi Ramasubramanian
<nramas@linux.microsoft.com> wrote:
> On 2/12/21 8:37 AM, Lakshmi Ramasubramanian wrote:
>
> Hi Paul,
>
> > SELinux stores the configuration state and the policy capabilities
> > in kernel memory.  Changes to this data at runtime would have an impact
> > on the security guarantees provided by SELinux.  Measuring this data
> > through IMA subsystem provides a tamper-resistant way for
> > an attestation service to remotely validate it at runtime.
> >
> > Measure the configuration state and policy capabilities by calling
> > the IMA hook ima_measure_critical_data().
> >
>
> I have addressed your comments on the v2 patch for selinux measurement
> using IMA. Could you please let me know if there are any other comments
> that I need to address in this patch?

The merge window just closed earlier this week, and there were a
handful of bugs that needed to be addressed before I could look at
this patch.  If I don't get a chance to review this patch tonight, I
will try to get to it this weekend or early next week.

-- 
paul moore
www.paul-moore.com