On Wed, 2022-01-26 at 10:11 +0100, Christian Brauner wrote: > On Tue, Jan 25, 2022 at 05:46:28PM -0500, Stefan Berger wrote: > > From: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > > > Move the arch_policy_entry pointer into ima_namespace. > > > > When freeing the memory set the pointer to NULL. > > > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > --- > > Only relevant for the initial imans (for now) since it is derived from a > boot parameter. Maybe mention this in the commit message. Enabling architecture specific policy rules is based on CONFIG_IMA_ARCH_POLICY. As the name implies, each architecture is free to define their own policy rules. For example on x86, based on the secure boot mode both measurement and signature verification rules are defined for the kexec kernel image and kernel modules. Similarly on powerpc, different measurement and signature verification rules for the kexec kernel image and kernel modules are defined based on whether trusted boot, secure boot, or both are enabled [2]. As neither kexec nor loading kernel modules are applicable, the architecture policy rules are limited to initial imans. [1] security/integrity/ima/ima_efi.c [2] arch/powerpc/kernel/ima_arch.c > > Move into struct ima_namespace looks good, > Acked-by: Christian Brauner <brauner@xxxxxxxxxx> Thanks, Christian. Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
