On 10/27/19 7:47 AM, Mimi Zohar wrote:
There's no reason to define a new variable to determine if IMA is
initialized. Use ima_policy_flag.
Please correct me if I am wrong -
ima_policy_flag will be set to 0 if IMA is not yet initialized
OR
IMA is initialized, but ima_policy_flag could be still set to 0 (say,
due to the configured policy).
In the latter case the measurement request should be a NOP immediately.
I'm not sure. The builtin keys most likely will be loaded prior to a
custom IMA policy containing "keyring" rules are defined.
Mimi
I am not sure if I described it clearly - let me clarify:
Say, we use ima_policy_flag to determine whether to
measure the key immediately or
queue the key for measurement and, measure when IMA is initialized.
We can incorrectly keep queuing keys in the case when IMA is
initialized, but due to the way IMA policy is configured ima_policy_flag
is still 0.
That's why I feel a separate boolean flag would be needed to know
whether IMA is initialized or not.
If IMA is initialized, ima_policy_flag will dictate whether to measure
the key or not.
thanks,
-lakshmi
