| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b9f293d8-6e58-4d56-1917-5819f0b8931a@linux.microsoft.com>
Date: Wed, 6 Nov 2019 18:20:11 -0800
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, dhowells@...hat.com,
matthewgarrett@...gle.com, sashal@...nel.org,
jamorris@...ux.microsoft.com, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys
for measurement
On 11/6/19 2:44 PM, Mimi Zohar wrote:
Hi Mimi,
>> +
>> + if (ima_initialized) {
>
> ima_initialized is being set in ima_init(), before a custom policy is
> loaded. I would think that is too early. ima_update_policy() is
> called after loading a custom policy. Please see how to detect when a
> custom policy is loaded.
ima_init_policy() is called before ima_initialized flag is set.
As far as I understand ima_init_policy() loads custom policies as well.
So custom policies (such as arch specific policies, secure boot
policies, etc.) are loaded before the queued keys are processed.
But if CONFIG_IMA_WRITE_POLICY is enabled, the policy can be updated
anytime. This scenario is not handled in my implementation.
Please correct me if my understanding is wrong.
thanks,
-lakshmi
Powered by blists - more mailing lists