diff for duplicates of <1517255903.29187.560.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index d0306e1..69f460e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -5,9 +5,9 @@ On Sat, 2018-01-27 at 19:47 -0500, Mimi Zohar wrote: > > > > > Originally IMA allowed a builtin policy to be replaced with a custom > > > > > policy, by simply cat'ing a file into the securityfs IMA policy file. > > > > > Currently, if new rules can be added to the custom policy (Kconfig -> > > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, +> > > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, > > > > > if the builtin "secure-boot" policy is defined on the boot command -> > > > > line, the custom policy must be signed. Test "ima01 ima_policy.sh" +> > > > > line, the custom policy must be signed. Test "ima01 ima_policy.sh" > > > > > should first detect if the policy must be signed, before running the > > > > > tests. > > @@ -19,7 +19,7 @@ On Sat, 2018-01-27 at 19:47 -0500, Mimi Zohar wrote: > > security/integrity/ima/ima_fs.c which handles IMA sysfs doesn't have this functionality. > > Is it deliberate (security reason), that it's not exported to users? > -> This isn't really an IMA issue, but a TPM one. The TPM device driver +> This isn't really an IMA issue, but a TPM one. The TPM device driver > would need to export this information. Sorry, that was an answer to the wrong question. In ima_tpm.sh, @@ -29,13 +29,13 @@ there's the question: Commit 313d21e "tpm: device class for tpm" moved the TPM sysfs location from /sys/class/misc/tpmX/device/ to -/sys/class/tpm/tpmX/device/. The pcrs are +/sys/class/tpm/tpmX/device/. The pcrs are To answer your question, if after writing the custom policy, the policy file disappears, then you obviously can't extend the policy. - If the policy file doesn't disappear, you might not be able to extend -the policy, just view it. Sorry, there's no method of knowing apriori + If the policy file doesn't disappear, you might not be able to extend +the policy, just view it. Sorry, there's no method of knowing apriori whether the policy can be extended. Mimi diff --git a/a/content_digest b/N1/content_digest index 1a2c695..a4fe2ab 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -5,13 +5,9 @@ "ref\020180126175110.boaepz6dqe3uojq6@dell5510\0" "ref\01517100440.29187.120.camel@linux.vnet.ibm.com\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" + "Subject\0[LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" "Date\0Mon, 29 Jan 2018 14:58:23 -0500\0" - "To\0Petr Vorel <pvorel@suse.cz>\0" - "Cc\0ltp@lists.linux.it" - Dmitry Kasatkin <dmitry.kasatkin@huawei.com> - linux-integrity@vger.kernel.org - " Roberto Sassu <roberto.sassu@polito.it>\0" + "To\0ltp@lists.linux.it\0" "\00:1\0" "b\0" "On Sat, 2018-01-27 at 19:47 -0500, Mimi Zohar wrote:\n" @@ -21,9 +17,9 @@ "> > > > > Originally IMA allowed a builtin policy to be replaced with a custom\n" "> > > > > policy, by simply cat'ing a file into the securityfs IMA policy file.\n" "> > > > > Currently, if new rules can be added to the custom policy (Kconfig\n" - "> > > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly,\n" + "> > > > > IMA_WRITE_POLICY enabled), the policy file must be signed. \302\240Similarly,\n" "> > > > > if the builtin \"secure-boot\" policy is defined on the boot command\n" - "> > > > > line, the custom policy must be signed. Test \"ima01 ima_policy.sh\"\n" + "> > > > > line, the custom policy must be signed. \302\240Test \"ima01 ima_policy.sh\"\n" "> > > > > should first detect if the policy must be signed, before running the\n" "> > > > > tests.\n" "> > \n" @@ -35,7 +31,7 @@ "> > security/integrity/ima/ima_fs.c which handles IMA sysfs doesn't have this functionality.\n" "> > Is it deliberate (security reason), that it's not exported to users?\n" "> \n" - "> This isn't really an IMA issue, but a TPM one. The TPM device driver\n" + "> This isn't really an IMA issue, but a TPM one. \302\240The TPM device driver\n" "> would need to export this information.\n" "\n" "Sorry, that was an answer to the wrong question. In ima_tpm.sh,\n" @@ -45,15 +41,15 @@ "\n" "Commit 313d21e \"tpm: device class for tpm\" moved the TPM sysfs\n" "location from /sys/class/misc/tpmX/device/ to\n" - "/sys/class/tpm/tpmX/device/. The pcrs are \n" + "/sys/class/tpm/tpmX/device/. \302\240The pcrs are\302\240\n" "\n" "\n" "To answer your question, if after writing the custom policy, the\n" "policy file disappears, then you obviously can't extend the policy.\n" - " If the policy file doesn't disappear, you might not be able to extend\n" - "the policy, just view it. Sorry, there's no method of knowing apriori\n" + "\302\240If the policy file doesn't disappear, you might not be able to extend\n" + "the policy, just view it. \302\240Sorry, there's no method of knowing apriori\n" "whether the policy can be extended.\n" "\n" Mimi -96054eb06f24d3f251018b2342e0782b31dbd4c3c0c1ff17770bea67fa5969d5 +9e66f66cdff36f6ff4c298d483ac00e559a903bc413fb8935483108af6ae7b67
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.