Subject: Re: verified exec per page fingerprints
To: Eric Haszlakiewicz <email@example.com>
From: Brett Lymn <firstname.lastname@example.org>
Date: 11/15/2005 21:17:41
On Tue, Nov 15, 2005 at 02:43:47AM -0600, Eric Haszlakiewicz wrote:
> By "conditional" do you mean a mount flag that is different for different
> files on a unionfs?
No - more like conditional on having veriexec in the kernel or not, I
suppose we could silently ignore the flag but what if the intent
really was to have veriexec working... having a mount fail due to a
missing kernel option is just as bad.
The problem I see with making the 'untrusted' option a mount flag is
that it separates the configuration information for veriexec into two
places, partly in the mount options and partly in the veriexec control
file. Though having the flag on a per file basis seems a bit
excessive, it does mean that all the information is in one place so
should be easier to keep in sync.