Re: [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Mimi,

> > * ima_measurements.sh:
> >   - add support for "ima-ng" and "ima-sig" IMA measurement templates
> >   - add support for most of hash algorithms is defined in
> >     include/uapi/linux/hash_info.h (kernel headers); algorithms are
> >     detected from last occurance of tested file in
> >     /sys/kernel/security/ima/ascii_runtime_measurements
> >   - check i_version mount option only for ext[2-4] filesystems (other
> >     filesystems don't report it), TCONF when not mounted with it
> >   - XFS has iversion support from >= V5, TCONF when older version

> Needing the filesystem to be mounted with i_version is changing in
> Linux 4.16.  With commit ac0bf025d2c0 ("ima: Use i_version only when
> filesystem supports it"), files on filesystems, which do not support
> i_version, will now *always* be re-measured (based on policy), making
> i_version a performance improvement.
Thanks for info, I'll update the test.

> >  load_policy()
...
> >  	cat $1 |
> > -	while read line ; do
> > -	{
> > -		if [ "${line#\#}" = "${line}" ] ; then
> > -			echo $line >&4 2> /dev/null
> > +	while read line; do
> > +		if [ "${line#\#}" = "${line}" ]; then
> > +			echo "$line" >&4 2> /dev/null
> >  			if [ $? -ne 0 ]; then
> >  				exec 4>&-
> >  				return 1
> >  			fi
> >  		fi
> > -	}

> Originally writing the policy was done one rule at a time, but hasn't
> been required for a long time.  dracut and systemd 'cat' the policy
> directly to the pseudo file.
OK, let's simplify it to catting the content.

> Mimi


Kind regards,
Petr




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux