From: Mimi Zohar <zohar@linux.ibm.com>
To: Petr Vorel <pvorel@suse.cz>, linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH] ima: fix wrong signed policy requirement when not appraising
Date: Tue, 14 May 2019 18:37:05 -0400 [thread overview]
Message-ID: <1557873425.4139.79.camel@linux.ibm.com> (raw)
In-Reply-To: <20190514220845.408-1-pvorel@suse.cz>
On Wed, 2019-05-15 at 00:08 +0200, Petr Vorel wrote:
> Kernel booted just with ima_policy=tcb (not with
> ima_policy=appraise_tcb) shouldn't require signed policy.
>
> Regression found with LTP test ima_policy.sh.
>
> Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> Hi,
>
> assuming behavior prior c52657d93b05 was correct.
> BTW I admit that using global variable inside helper function is nasty.
>
> Kind regards,
> Petr
>
> security/integrity/ima/ima_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e0cc323f948f..df0e6a1b063b 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -500,7 +500,7 @@ static void add_rules(struct ima_rule_entry *entries, int count,
> }
> if (entries[i].action == APPRAISE)
> temp_ima_appraise |= ima_appraise_flag(entries[i].func);
> - if (entries[i].func == POLICY_CHECK)
> + if (ima_use_appraise_tcb && entries[i].func == POLICY_CHECK)
> temp_ima_appraise |= IMA_APPRAISE_POLICY;
Instead of also testing "ima_use_appraise_tcb", try including the
POLICY_CHECK as part of the APPRAISE condition.
thanks!
Mimi
> }
> }
next prev parent reply other threads:[~2019-05-14 22:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-14 22:08 [PATCH] ima: fix wrong signed policy requirement when not appraising Petr Vorel
2019-05-14 22:37 ` Mimi Zohar [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-05-14 22:01 Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1557873425.4139.79.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=pvorel@suse.cz \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.