On Mon, Oct 18, 2010 at 12:48:54PM -0400, Eric Paris wrote:
I'll can address this on the fedora list, but I think this is the
approach. IMA is supposed to be of negligible impact when not 'enabled'
and I believe the right solution is to fix places where that isn't true.
At the moment 3 have been identified.
My beef is #2, which is what I want to see solved. If there's a million
people using Fedora, and 2 people use IMA, that's an awful lot of bytes
that could be otherwise used.
I think it should be entirely opt in, with a CONFIG_IMA_DEFAULT_ON or
something like we do for security hooks.
Anyway, If you can address #2, then I'm happy having it enabled. If it's
taken us this long to notice the impact, then it doesn't seem to be
all that large in the general case, and if it can be reduced, then that
should make everyone happy.