Re: [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Mimi,

> > > >  load_policy()
> > ...
> > > >  	cat $1 |
> > > > -	while read line ; do
> > > > -	{
> > > > -		if [ "${line#\#}" = "${line}" ] ; then
> > > > -			echo $line >&4 2> /dev/null
> > > > +	while read line; do
> > > > +		if [ "${line#\#}" = "${line}" ]; then
> > > > +			echo "$line" >&4 2> /dev/null
> > > >  			if [ $? -ne 0 ]; then
> > > >  				exec 4>&-
> > > >  				return 1
> > > >  			fi
> > > >  		fi
> > > > -	}

> > > Originally writing the policy was done one rule at a time, but hasn't
> > > been required for a long time.  dracut and systemd 'cat' the policy
> > > directly to the pseudo file.
> > OK, let's simplify it to catting the content.

> Replacing the builtin policy with a new policy in the initramfs was
> considered safe.  With commit 38d859f991f3 ("IMA: policy can now be
> updated multiple times") the policy can be extended multiple times,
> not only from the initramfs.  For it to be safe to extend the IMA
> policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.

> These tests assume the policy does not need to be signed.

Is it a good idea to expect that policy must be signed also for older kernels
(kernels before 4.5)?

> Mimi


Kind regards,
Petr



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux