| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Dec 2019 14:11:31 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
linux-integrity@...r.kernel.org
Cc: eric.snowberg@...cle.com, dhowells@...hat.com,
matthewgarrett@...gle.com, sashal@...nel.org,
jamorris@...ux.microsoft.com, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org, Janne Karhunen <janne.karhunen@...il.com>
Subject: Re: [PATCH v0 1/2] IMA: Defined queue functions
On Mon, 2019-12-02 at 10:39 -0800, Lakshmi Ramasubramanian wrote:
> On 12/2/19 10:00 AM, Mimi Zohar wrote:
>
> >
> > ima_update_policy() is called from multiple places. Initially, it is
> > called before a custom policy has been loaded. The call to
> > ima_process_queued_keys_for_measurement() needs to be moved to within
> > the test, otherwise it runs the risk of dropping "key" measurements.
>
> static const struct file_operations ima_measure_policy_ops = {
> .release = ima_release_policy,
> };
>
> ima_update_policy() is called from ima_release_policy() function.
>
> On my test machine I have the IMA policy in /etc/ima/ima-policy file.
> When IMA policy is setup from this file, I see ima_release_policy()
> called (which in turn calls ima_update_policy()).
>
> How can I have ima_update_policy() called before a custom policy is loaded?
Oops, you're right. My concern was ima_init_policy(), but it calls
ima_update_policy_flag() directly.
Mimi
Powered by blists - more mailing lists