Re: [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2018-03-29 at 10:59 +0200, Petr Vorel wrote:
> Hi Mimi,

> > >  load_policy()
> ...
> > >  	cat $1 |
> > > -	while read line ; do
> > > -	{
> > > -		if [ "${line#\#}" = "${line}" ] ; then
> > > -			echo $line >&4 2> /dev/null
> > > +	while read line; do
> > > +		if [ "${line#\#}" = "${line}" ]; then
> > > +			echo "$line" >&4 2> /dev/null
> > >  			if [ $? -ne 0 ]; then
> > >  				exec 4>&-
> > >  				return 1
> > >  			fi
> > >  		fi
> > > -	}
> 
> > Originally writing the policy was done one rule at a time, but hasn't
> > been required for a long time.  dracut and systemd 'cat' the policy
> > directly to the pseudo file.
> OK, let's simplify it to catting the content.

Replacing the builtin policy with a new policy in the initramfs was
considered safe.  With commit 38d859f991f3 ("IMA: policy can now be
updated multiple times") the policy can be extended multiple times,
not only from the initramfs.  For it to be safe to extend the IMA
policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.

These tests assume the policy does not need to be signed.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux