From: Bruno Meneguele <bmeneg@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org
Subject: Re: [PATCH 3/4] ima: limit secure boot feedback scope for appraise
Date: Fri, 4 Sep 2020 14:47:20 -0300 [thread overview]
Message-ID: <20200904174720.GG2568@heredoc.io> (raw)
In-Reply-To: <25a0912802168cf104ffc7d8ac4f1b2ec12e054d.camel@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]
On Mon, Aug 24, 2020 at 04:11:22PM -0400, Mimi Zohar wrote:
> On Mon, 2020-08-17 at 18:52 -0300, Bruno Meneguele wrote:
> > Instead of print to kmsg any ima_appraise= option passed by the user in case
> > of secure boot being enabled, first check if the state was really changed
> > from its original "enforce" state, otherwise don't print anything.
>
> Please reword this patch description, removing "Instead of print to
> kmsg".
>
ack
> >
> > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> > ---
> > security/integrity/ima/ima_appraise.c | 16 +++++++++++-----
> > 1 file changed, 11 insertions(+), 5 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index 2193b51c2743..000df14f198a 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -19,11 +19,7 @@
> > static int __init default_appraise_setup(char *str)
> > {
> > #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
> > - if (arch_ima_get_secureboot()) {
> > - pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option",
> > - str);
> > - return 1;
> > - }
> > + bool sb_state = arch_ima_get_secureboot();
> >
> > if (strncmp(str, "off", 3) == 0)
> > ima_appraise = 0;
> > @@ -35,6 +31,16 @@ static int __init default_appraise_setup(char *str)
> > ima_appraise = IMA_APPRAISE_ENFORCE;
> > else
> > pr_err("invalid \"%s\" appraise option", str);
> > +
> > + /* If appraisal state was changed, but secure boot is enabled,
> > + * reset it to enforced */
> > + if (sb_state) {
> > + if (!is_ima_appraise_enabled()) {
> > + pr_info("Secure boot enabled: ignoring ima_appraise=%s option",
> > + str);
> > + ima_appraise = IMA_APPRAISE_ENFORCE;
> > + }
> > + }
>
> Instead of changing ima_appraise and then resetting it back to
> enforcing, how about using a temporary variable instead? Maybe
> something like:
>
> if (!is_ima_appraise_enabled())
> pr_info( ...)
> else
> ima_appraise = temporary value
>
Yes, indeed it would be nice to keep the default state unchanged. Only
thing is that 'is_ima_appraise_enabled()' directly checks 'ima_appraise &
IMA_APPRAISE_ENFORCE', changing to a temp var would require the if() to
check it directly.
I'm going to send a v2 with it changed.
Thanks.
> > #endif
> > return 1;
> > }
>
>
--
bmeneg
PGP Key: http://bmeneg.com/pubkey.txt
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-09-04 18:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 21:52 [PATCH 0/4] integrity: improve user feedback for invalid bootparams Bruno Meneguele
2020-08-17 21:52 ` [PATCH 1/4] ima: add check for enforced appraise option Bruno Meneguele
2020-08-17 21:52 ` [PATCH 2/4] integrity: invalid kernel parameters feedback Bruno Meneguele
2020-08-24 20:11 ` Mimi Zohar
2020-08-17 21:52 ` [PATCH 3/4] ima: limit secure boot feedback scope for appraise Bruno Meneguele
2020-08-24 20:11 ` Mimi Zohar
2020-09-04 17:47 ` Bruno Meneguele [this message]
2020-08-17 21:52 ` [PATCH 4/4] integrity: prompt keyring name for unknown key request Bruno Meneguele
2020-08-24 20:13 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200904174720.GG2568@heredoc.io \
--to=bmeneg@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.