Hi Aaron, On Thu, 2024-05-09 at 13:56 -0400, Aaron Merey wrote: > I know there's already been a lot of discussion re. ima:permissive and > I'm weighing in rather late, but FWIW I do support including it. > Currently individual ELF sections cannot be downloaded when > ima:enforcing is active. With ima:permissive we could support proper > section queries while also being able to perform some amount of > ima verification.
But what would "some amount of ima verification" mean? I think we (me included, for suggesting some of it in the first place) made things way to complicated by supporting multiple different ima certificates and then also splitting ima verification policy per server URL. If we also add different policies for the "amount" of ima we do then it because really hard to reason about imho. We should probably take a step back and formulate the security attack we are trying to defend against with ima verification first. Cheers, Mark
