On Mon, 2019-11-25 at 10:23 -0800, Lakshmi Ramasubramanian wrote: > On 11/21/19 9:14 AM, Lakshmi Ramasubramanian wrote: > > Hi Mimi, > > > process_buffer_measurement() needs to check if ima_policy_flag > > is set to measure and\or appraise. Not doing this check can > > result in kernel panic (such as when process_buffer_measurement() > > is called before IMA is initialized). > > > > This change adds the check in process_buffer_measurement() > > to return immediately if ima_policy_flag is set to 0. > > > > Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> > > --- > > security/integrity/ima/ima_main.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > > index 60027c643ecd..c9374430bb72 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -651,6 +651,9 @@ static void process_buffer_measurement(const void *buf, int size, > > int pcr = CONFIG_IMA_MEASURE_PCR_IDX; > > int action = 0; > > > > + if (!ima_policy_flag) > > + return; > > + > > Please let me know if the above change would be accepted as a standalone > patch (like the one in this patch), > or, I should include this change as one of the patches in the "Key > Measurement" patch set? As I'm not planning on sending a pull request this open window, so that it doesn't get lost/forgotten, please include it as the first patch in this patch set. Mimi
