On Wed, 2019-11-13 at 12:21 -0800, Lakshmi Ramasubramanian wrote: > On 11/13/2019 12:14 PM, Mimi Zohar wrote: > > >> @@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size, > >> int action = 0; > >> u32 secid; > >> > >> + /* > >> + * If IMA is not yet initialized or IMA policy is empty > >> + * then there is no need to measure. > >> + */ > >> + if (!ima_policy_flag) > >> + return; > >> + > > > > This addition has nothing to do with defining a new IMA hook and > > should be a separate patch. This can be posted independently of this > > patch set. > > > > Mimi > > I'll move this change to a different patch, > but it has to be either part of this patch set or the above change alone > needs to be taken before this patch set for the following reason: > > The IMA hook gets called early in the boot process (for example, when > builtin_trusted_keys are added). If the above check is not there, > ima_get_action() is called and causes kernel panic (since IMA is not yet > initialized). It will be upstreamed prior to this patch set. Mimi
