On Mon, 2017-10-30 at 15:55 +0000, David Howells wrote:
> I've added this into my series as the third patch, but:
>
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > + ima_use_appraise_tcb = TRUE;
>
> Did you mean "true" rather than "TRUE"?
Yes, of course. Commit 9f4b6a254d7a "ima: Fix bool
initialization/comparison" already addresses it. Please remove it
from this patch.
>
> > + entry = kzalloc(sizeof(*entry), GFP_KERNEL);
> > + if (entry) {
> > + memcpy(entry, &secure_boot_rules[i],
> > + sizeof(*entry));
>
> kmemdup()?
Probably
>
> I guess also that oopsing is okay if the allocation fails. We've run out of
> memory during early boot, after all.
If the memory allocation fails, the "secure_boot" policy will not be
enabled for custom policies, but how is that "oopsing". If it fails,
there needs to be some indication of the failure, which there
currently isn't. Perhaps also prevent loading a custom policy.
>
> > + INIT_LIST_HEAD(&entry->list);
> > + list_add_tail(&entry->list, &ima_policy_rules);
>
> Isn't the init redundant, given the following line?
ok
