lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9f593c5f5882e8ed0d807376eefd4530462741d3.camel@linux.ibm.com>
Date: Thu, 20 Nov 2025 10:39:31 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Tahera Fahimi <taherafahimi@...ux.microsoft.com>, roberto.sassu@...wei.com,
        dmitry.kasatkin@...il.com, eric.snowberg@...cle.com,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
        linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, code@...icks.com
Cc: Lennart Poettering <mzxreary@...inter.de>
Subject: Re: [Patch V1] ima: avoid duplicate policy rules insertions

On Tue, 2025-11-11 at 06:40 -0500, Mimi Zohar wrote:
> [Cc'ing Lennart Poettering]
> 
> On Thu, 2025-11-06 at 18:14 +0000, Tahera Fahimi wrote:
> > Prevent redundant IMA policy rules by checking for duplicates before insertion. This ensures that
> > rules are not re-added when userspace is restarted (using systemd-soft-reboot) without a full system
> > reboot. ima_rule_exists() detects duplicates in both temporary and active rule lists.
> > 
> > Signed-off-by: Tahera Fahimi <taherafahimi@...ux.microsoft.com>
> 
> Sorry for the delay in responding ...
> 
> Before trying to fix the "problem", let's try to understand it first.  At least
> on my test system (-rc5), kexec is working as designed.  On boot, systemd
> replaces the existing builtin IMA policy with a custom IMA policy.  The arch
> specific policies are not affected, as they are persistent.  On a soft reboot
> (kexec), the IMA custom policy is re-loaded as expected.
> 
> To verify the above behavior, extend the IMA policy before the soft reboot. 
> Notice after the soft reboot that the original custom IMA policy is loaded and
> not the extended IMA policy.  Roberto, if there is a problem with this behavior,
> we'll discuss it independently of this proposed patch.
> 
> The question is why are you seeing duplicate IMA policy rules?  What is special
> about your environment?

I'm now able to reproduce what you're seeing by executing "systemctl soft-
reboot".  After each soft-reboot the custom IMA policy rules are re-loaded and
appended to the existing IMA policy.  As Roberto mentioned, there is no option
to replace the existing custom IMA policy rules with a new custom policy. We
might consider doing so in the future, but for now the onus for not re-loading
the custom IMA policy should not be on IMA, but on systemd.

Reading the same securityfs policy file used for loading the IMA policy will
return the current IMA policy. systemd could detect whether the existing IMA
policy contains the custom policy rules, before actually loading them.  There's
no reason for adding this functionality in the kernel.

-- 
thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ