On 11/13/2019 12:14 PM, Mimi Zohar wrote:
@@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size,
int action = 0;
u32 secid;
+ /*
+ * If IMA is not yet initialized or IMA policy is empty
+ * then there is no need to measure.
+ */
+ if (!ima_policy_flag)
+ return;
+
This addition has nothing to do with defining a new IMA hook and
should be a separate patch. This can be posted independently of this
patch set.
Mimi
I'll move this change to a different patch,
but it has to be either part of this patch set or the above change alone
needs to be taken before this patch set for the following reason:
The IMA hook gets called early in the boot process (for example, when
builtin_trusted_keys are added). If the above check is not there,
ima_get_action() is called and causes kernel panic (since IMA is not yet
initialized).
thanks,
-lakshmi
