Re: [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2018-04-11 at 21:03 +0200, Petr Vorel wrote:
> Hi Mimi,
> > > > >  load_policy()
> > > ...
> > > > >  	cat $1 |
> > > > > -	while read line ; do
> > > > > -	{
> > > > > -		if [ "${line#\#}" = "${line}" ] ; then
> > > > > -			echo $line >&4 2> /dev/null
> > > > > +	while read line; do
> > > > > +		if [ "${line#\#}" = "${line}" ]; then
> > > > > +			echo "$line" >&4 2> /dev/null
> > > > >  			if [ $? -ne 0 ]; then
> > > > >  				exec 4>&-
> > > > >  				return 1
> > > > >  			fi
> > > > >  		fi
> > > > > -	}
> 
> > > > Originally writing the policy was done one rule at a time, but hasn't
> > > > been required for a long time.  dracut and systemd 'cat' the policy
> > > > directly to the pseudo file.
> > > OK, let's simplify it to catting the content.
> 
> > Replacing the builtin policy with a new policy in the initramfs was
> > considered safe.  With commit 38d859f991f3 ("IMA: policy can now be
> > updated multiple times") the policy can be extended multiple times,
> > not only from the initramfs.  For it to be safe to extend the IMA
> > policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.
> 
> > These tests assume the policy does not need to be signed.

> Is it a good idea to expect that policy must be signed also for older kernels
> (kernels before 4.5)?

The ability to sign the policy file was introduced with commit 7429b09
("ima: load policy using path").  According to "git branch --
contains", it was upstreamed in linux-4.6.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux