On Wed, 2018-04-11 at 21:03 +0200, Petr Vorel wrote:
> Hi Mimi,
> > > > > load_policy()
> > > ...
> > > > > cat $1 |
> > > > > - while read line ; do
> > > > > - {
> > > > > - if [ "${line#\#}" = "${line}" ] ; then
> > > > > - echo $line >&4 2> /dev/null
> > > > > + while read line; do
> > > > > + if [ "${line#\#}" = "${line}" ]; then
> > > > > + echo "$line" >&4 2> /dev/null
> > > > > if [ $? -ne 0 ]; then
> > > > > exec 4>&-
> > > > > return 1
> > > > > fi
> > > > > fi
> > > > > - }
>
> > > > Originally writing the policy was done one rule at a time, but hasn't
> > > > been required for a long time. dracut and systemd 'cat' the policy
> > > > directly to the pseudo file.
> > > OK, let's simplify it to catting the content.
>
> > Replacing the builtin policy with a new policy in the initramfs was
> > considered safe. With commit 38d859f991f3 ("IMA: policy can now be
> > updated multiple times") the policy can be extended multiple times,
> > not only from the initramfs. For it to be safe to extend the IMA
> > policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.
>
> > These tests assume the policy does not need to be signed.
> Is it a good idea to expect that policy must be signed also for older kernels
> (kernels before 4.5)?
The ability to sign the policy file was introduced with commit 7429b09
("ima: load policy using path"). According to "git branch --
contains", it was upstreamed in linux-4.6.
Mimi
