| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Oct 2019 07:58:36 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, dhowells@...hat.com,
casey@...aufler-ca.com, sashal@...nel.org,
jamorris@...ux.microsoft.com,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org
Subject: Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on
key create or update
On 10/27/19 7:47 AM, Mimi Zohar wrote:
>>> There's no reason to define a new variable to determine if IMA is
>>> initialized. Use ima_policy_flag.
>>
>> Please correct me if I am wrong -
>>
>> ima_policy_flag will be set to 0 if IMA is not yet initialized
>> OR
>> IMA is initialized, but ima_policy_flag could be still set to 0 (say,
>> due to the configured policy).
>>
>> In the latter case the measurement request should be a NOP immediately.
>
> I'm not sure. The builtin keys most likely will be loaded prior to a
> custom IMA policy containing "keyring" rules are defined.
>
> Mimi
I am not sure if I described it clearly - let me clarify:
Say, we use ima_policy_flag to determine whether to
measure the key immediately or
queue the key for measurement and, measure when IMA is initialized.
We can incorrectly keep queuing keys in the case when IMA is
initialized, but due to the way IMA policy is configured ima_policy_flag
is still 0.
That's why I feel a separate boolean flag would be needed to know
whether IMA is initialized or not.
If IMA is initialized, ima_policy_flag will dictate whether to measure
the key or not.
thanks,
-lakshmi
Powered by blists - more mailing lists