On 11/6/19 2:44 PM, Mimi Zohar wrote:
Hi Mimi,
+
+ if (ima_initialized) {
ima_initialized is being set in ima_init(), before a custom policy is
loaded. I would think that is too early. ima_update_policy() is
called after loading a custom policy. Please see how to detect when a
custom policy is loaded.
ima_init_policy() is called before ima_initialized flag is set.
As far as I understand ima_init_policy() loads custom policies as well.
So custom policies (such as arch specific policies, secure boot
policies, etc.) are loaded before the queued keys are processed.
But if CONFIG_IMA_WRITE_POLICY is enabled, the policy can be updated
anytime. This scenario is not handled in my implementation.
Please correct me if my understanding is wrong.
thanks,
-lakshmi
