> > > @@ -971,6 +1006,16 @@ void __init ima_init_policy(void)
> > > {
> > > int build_appraise_entries, arch_entries;
> > >
> > > + /*
> > > + * We need to load digest cache rules at the beginning, to avoid dont_
> > > + * rules causing ours to not be reached.
> > > + */
> >
> > "lockdown" trusts IMA to measure and appraise kernel modules, if the rule
> > exists. Placing the digest_cache first breaks this trust.
>
> The new rules don't prevent other rules to be reached, since they are
> 'do' and not 'don_t' rules.
My mistake. These are just the rules for measuring or appraising the digest
cache lists themselves, not the actual policy rules for using the digest_cache.
This should be fine.
Perhaps update the comment to reflect initramfs usage.
thanks,
Mimi
