From: Rob Landley <rob@landley.net>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>, Christophe Fillot <cf@utc.fr>
Cc: linux-ima-user@lists.sourceforge.net,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [Linux-ima-user] Initramfs and IMA Appraisal
Date: Mon, 29 Dec 2014 14:34:54 -0600 [thread overview]
Message-ID: <54A1BAEE.6000101@landley.net> (raw)
In-Reply-To: <1419860736.14143.13.camel@dhcp-9-2-203-236.watson.ibm.com>
On 12/29/2014 07:45 AM, Mimi Zohar wrote:
> On Thu, 2014-11-27 at 10:15 +0100, Christophe Fillot wrote:
>>>
>>> Are you using an initrd not an initramfs? According to
>>> Documentation/filesystems/ramfs-rootfs-initramfs.txt, "If
>> CONFIG_TMPFS
>>> is enabled, rootfs will use tmpfs instead of ramfs by default".
>>>
>> Yes, that what I thought too, but it seems that it is not really the
>> case because of this test:
>>
>> if (IS_ENABLED(CONFIG_TMPFS) && !saved_root_name[0] &&
>> (!root_fs_names || strstr(root_fs_names, "tmpfs"))) {
>> err = shmem_init();
>> is_tmpfs = true;
>> } else {
>> err = init_ramfs_fs();
>> }
>
> [CC'ing Rob Landley, lsm, lkml]
>
> Thanks! "saved_root_name" is set to the boot command line "root="
> option, which in my case is the UUID. I'm not sure why real root should
> impact the initramfs tmpfs/ramfs decision.
>
> Unless there is a good explanation, did you want to post a patch to
> remove the test?
I added support last year, here's the start of the patch series:
https://lkml.org/lkml/2013/6/29/101
The logic is that if you specify a fallback root via root=, then you're
not staying on rootfs (that's what root= _means_, "here is the root
filesystem the kernel is to mount over rootfs"), and thus the extra
infrastructure for tmpfs instead of ramfs is unnecessary.
I keep encountering people who set root=/dev/ram0 because they think
that means initrd (it doesn't), and then they feed in a cpio archive
(that's a third state even before you get to the ramfs/tmpfs
distinction), and they always want to change the code to make what they
asked it to do not be crazy...
Possibly the documentation needs to elaborate, but I expect what we
really need is a CONFIG_VERBOSE_ROOT_SETUP that sticks in a bunch of
printfs so the /dev/console output explains what it's doing. ("could not
exec /init out of initramfs (errno %d, file %s), falling back to
root=\nAdd blather=1 to kernel cmdline to see cpio
filenames/permissions.", and so on. Where "actual exec" shows where your
dynamic linker is when that's what wasn't there.)
Rob
next prev parent reply other threads:[~2014-12-29 20:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5463ABC8.10308@utc.fr>
[not found] ` <1415827252.18773.33.camel@dhcp-9-2-203-236.watson.ibm.com>
[not found] ` <547617AF.6000604@utc.fr>
[not found] ` <1417039941.26016.46.camel@dhcp-9-2-203-236.watson.ibm.com>
[not found] ` <5476EBAC.8090103@utc.fr>
2014-12-29 13:45 ` [Linux-ima-user] Initramfs and IMA Appraisal Mimi Zohar
2014-12-29 20:34 ` Rob Landley [this message]
2014-12-29 21:46 ` Mimi Zohar
2014-12-30 1:55 ` Rob Landley
2014-12-30 3:20 ` Mimi Zohar
2014-12-30 4:17 ` Rob Landley
2014-12-30 2:25 ` David Lang
2014-12-30 3:06 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A1BAEE.6000101@landley.net \
--to=rob@landley.net \
--cc=cf@utc.fr \
--cc=linux-ima-user@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.