Linux Integrity Measurement development
 help / color / mirror / Atom feed
From: Baoquan He <bhe@redhat.com>
To: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: zohar@linux.ibm.com, linux-integrity@vger.kernel.org,
	kexec@lists.infradead.org
Subject: Re: [RFC PATCH] ima: add a knob to make IMA be able to be disabled
Date: Mon, 31 Mar 2025 16:21:26 +0800	[thread overview]
Message-ID: <Z+pQTb+e0SuMvwkS@MiWiFi-R3L-srv> (raw)
In-Reply-To: <42ae3379-992e-45fc-acfc-0f808ff0d406@molgen.mpg.de>

Hi Paul,

On 03/31/25 at 08:22am, Paul Menzel wrote:
> 
Thanks for your careful reviewing.
> 
> Thank you for your patch. I’d add the knob name to the commit message
> summary/title, so it shows up in `git log --oneline`.

Sounds great, will change.

> 
> Am 31.03.25 um 08:16 schrieb Baoquan He:
> > It doesn't make sense to run IMA functionality in kdump kernel, and that
> > will cost extra memory. It would be great to allow IMA to be disabled on
> > purpose, e.g for kdump kernel.
> > 
> > Hence add a knob here to allow people to disable IMA if needed.
> 
> `initcall_blacklist=…` could be used already. I prefer a dedicated parameter
> too though.

Yes, adding parameter can provide an explicit functionality to the
feature. While 'initcall_blacklist=' can't guarantee there won't be
dependency or connection between ima and other feature, and people could
add or change the connection anytime when userspace is using it but not
knowing the change.

> 
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> > ---
> >   security/integrity/ima/ima_main.c | 21 +++++++++++++++++++++
> >   1 file changed, 21 insertions(+)
> > 
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 28b8b0db6f9b..5d677d1389fe 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -38,11 +38,27 @@ int ima_appraise;
> >   int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> >   static int hash_setup_done;
> > +static int ima_disabled = 0;
> >   static struct notifier_block ima_lsm_policy_notifier = {
> >   	.notifier_call = ima_lsm_policy_change,
> >   };
> > +static int __init ima_setup(char *str)
> > +{
> > +	if (strncmp(str, "off", 3) == 0)
> > +                ima_disabled = 1;
> > +        else if (strncmp(str, "on", 2) == 0)
> > +                ima_disabled = 0;
> > +        else
> > +                pr_err("invalid ima setup option: \"%s\" ", str);
> 
> I’d add the allowed strings.

Sounds better, will change.

> 
> > +
> > +	return 1;
> > +}
> > +__setup("ima=", ima_setup);
> > +
> > +
> > +
> >   static int __init hash_setup(char *str)
> >   {
> >   	struct ima_template_desc *template_desc = ima_template_desc_current();
> > @@ -1176,6 +1192,11 @@ static int __init init_ima(void)
> >   {
> >   	int error;
> > +	if (ima_disabled) {
> > +		pr_info("IMA functionality is disabled on purpose!");
> 
> … on Linux CLI.

I may not get the suggestion in this place, could you be more specific?

> 
> > +		return 0;
> > +	}
> > +
> >   	ima_appraise_parse_cmdline();
> >   	ima_init_template_list();
> >   	hash_setup(CONFIG_IMA_DEFAULT_HASH);
> 
> 
> Kind regards,
> 
> Paul
> 


  reply	other threads:[~2025-03-31  8:21 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-31  6:16 [RFC PATCH] ima: add a knob to make IMA be able to be disabled Baoquan He
2025-03-31  6:22 ` Paul Menzel
2025-03-31  8:21   ` Baoquan He [this message]
2025-03-31 12:15 ` Mimi Zohar
2025-04-02  1:38   ` Coiby Xu
2025-04-02  1:47     ` RuiRui Yang
2025-04-02  3:30       ` Mimi Zohar
2025-04-02  8:43         ` Coiby Xu
2025-04-02 11:25           ` Mimi Zohar
2025-04-02 11:49           ` Baoquan He
2025-04-03 20:03             ` Mimi Zohar
2025-04-07  1:34               ` Baoquan He
2025-04-07 11:46                 ` Mimi Zohar
2025-04-09  2:42                   ` Baoquan He
2025-04-09 15:40                     ` Mimi Zohar
2025-04-16  3:22                       ` Baoquan He
2025-04-28  3:48                         ` Coiby Xu
2025-04-29 11:39                           ` Mimi Zohar
2025-05-09  5:59                             ` Coiby Xu
2025-05-09 13:03                               ` Mimi Zohar
2025-05-13  0:14                                 ` Coiby Xu
2025-05-13  3:55                                   ` Gao Xiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z+pQTb+e0SuMvwkS@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=pmenzel@molgen.mpg.de \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox