On Mon, 2019-12-02 at 10:39 -0800, Lakshmi Ramasubramanian wrote:
> On 12/2/19 10:00 AM, Mimi Zohar wrote:
>
> >
> > ima_update_policy() is called from multiple places. Initially, it is
> > called before a custom policy has been loaded. The call to
> > ima_process_queued_keys_for_measurement() needs to be moved to within
> > the test, otherwise it runs the risk of dropping "key" measurements.
>
> static const struct file_operations ima_measure_policy_ops = {
> .release = ima_release_policy,
> };
>
> ima_update_policy() is called from ima_release_policy() function.
>
> On my test machine I have the IMA policy in /etc/ima/ima-policy file.
> When IMA policy is setup from this file, I see ima_release_policy()
> called (which in turn calls ima_update_policy()).
>
> How can I have ima_update_policy() called before a custom policy is loaded?
Oops, you're right. My concern was ima_init_policy(), but it calls
ima_update_policy_flag() directly.
Mimi
