Re: [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement

From: Lakshmi Ramasubramanian
Date: Wed Nov 06 2019 - 21:20:14 EST

Next message: Viresh Kumar: "Re: [PATCH 06/11] thermal: mediatek: Appease the kernel-doc deity"
Previous message: Viresh Kumar: "Re: [PATCH 06/11] thermal: mediatek: Appease the kernel-doc deity"
In reply to: Lakshmi Ramasubramanian: "Re: [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v4 04/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/6/19 2:44 PM, Mimi Zohar wrote:

Hi Mimi,

+
+ if (ima_initialized) {

ima_initialized is being set inÂima_init(), before a custom policy is
loaded. ÂI would think that is too early. Âima_update_policy() is
called after loading a custom policy. ÂPlease see how to detect when a
custom policy is loaded.

ima_init_policy() is called before ima_initialized flag is set.

As far as I understand ima_init_policy() loads custom policies as well. So custom policies (such as arch specific policies, secure boot policies, etc.) are loaded before the queued keys are processed.

But if CONFIG_IMA_WRITE_POLICY is enabled, the policy can be updated anytime. This scenario is not handled in my implementation.

Please correct me if my understanding is wrong.

thanks,
-lakshmi

Next message: Viresh Kumar: "Re: [PATCH 06/11] thermal: mediatek: Appease the kernel-doc deity"
Previous message: Viresh Kumar: "Re: [PATCH 06/11] thermal: mediatek: Appease the kernel-doc deity"
In reply to: Lakshmi Ramasubramanian: "Re: [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v4 04/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]