On Fri, May 24, 2019 at 2:29 AM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > On 5/23/2019 8:18 PM, Matthew Garrett wrote: > > option: appraise_type:= [imasig] > > + template:= name of an IMA template type (eg, d-ng) > > IMA template name or custom format (if specified in the kernel command > line, see below). ACK. > > + if (template_desc && entry->flags & IMA_TEMPLATE) > > + *template_desc = entry->template; > > + > > I would simply return the template, without checking the flags. ACK. > > + case Opt_template: > > + ima_log_string(ab, "template", args[0].from); > > Please add: > > if (entry->template) > return -EINVAL; ACK. > > > + template_desc = lookup_template_desc(args[0].from); > > You assume that the template is already known, while users can specify > in the policy a combination of template fields that is not in the list. Yes, I'm not attempting to add support for dynamic template definition in this patch. > > @@ -36,6 +36,7 @@ > > #define IMA_NEW_FILE 0x04000000 > > #define EVM_IMMUTABLE_DIGSIG 0x08000000 > > #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 > > +#define IMA_TEMPLATE 0x20000000 > > I think it is not necessary to define a new flag here. It should be > sufficient to check entry->template. Ok.
