Re: [RFC PATCH] ima: require secure_boot rules in lockdown mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > Did you mean "true" rather than "TRUE"?
> 
> Yes, of course.  Commit 9f4b6a254d7a "ima: Fix bool
> initialization/comparison" already addresses it.  Please remove it
> from this patch.

Is that with James?  I don't seem to have a copy, and I don't want to cause a
patch collision.

> > I guess also that oopsing is okay if the allocation fails.  We've run out of
> > memory during early boot, after all.
> 
> If the memory allocation fails, the "secure_boot" policy will not be
> enabled for custom policies, but how is that "oopsing".

Sorry - I overlooked the fact that the variable is not used if it's not zero.

> If it fails, there needs to be some indication of the failure, which there
> currently isn't.  Perhaps also prevent loading a custom policy.

Does it need to panic (probably fine as a small memory alloc failed)?  If it
doesn't set this policy what's the effect on things using
is_ima_appraise_enabled() - assuming we get that far?

David



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux