On 8/4/20 8:29 AM, Stephen Smalley wrote:
Perhaps vmalloc would be better than using kmalloc? If there are
better options for such large buffer allocation, please let me know.
kvmalloc() can be used to select whichever one is most appropriate.
Other option would be for ima to compute and save the hash(es) of the
payload and not the payload itself for later use. I guess you won't
know at that point which hash algorithm is desired?
I think IMA hash algorithm would be known at that point, but IMA policy
is not loaded yet (which is why I need to queue up the buffer and
process when policy is loaded).
I tried vmalloc and tested it with upto 16MB buffer (just made up a
SELinux policy buffer of size 16MB) - that works fine.
I will try kvmalloc().
Also, I fixed the issue with LSM data not measured when using the IMA
policy you had. Good catch.
Will post the updated patches today.
thanks,
-lakshmi
