From: Mimi Zohar <zohar@linux.ibm.com>
To: Tahera Fahimi <taherafahimi@linux.microsoft.com>,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, code@tyhicks.com
Cc: Lennart Poettering <mzxreary@0pointer.de>
Subject: Re: [Patch V1] ima: avoid duplicate policy rules insertions
Date: Thu, 20 Nov 2025 10:39:31 -0500 [thread overview]
Message-ID: <9f593c5f5882e8ed0d807376eefd4530462741d3.camel@linux.ibm.com> (raw)
In-Reply-To: <16c73b4e0761a1622770102d1d48982fe9ae86ac.camel@linux.ibm.com>
On Tue, 2025-11-11 at 06:40 -0500, Mimi Zohar wrote:
> [Cc'ing Lennart Poettering]
>
> On Thu, 2025-11-06 at 18:14 +0000, Tahera Fahimi wrote:
> > Prevent redundant IMA policy rules by checking for duplicates before insertion. This ensures that
> > rules are not re-added when userspace is restarted (using systemd-soft-reboot) without a full system
> > reboot. ima_rule_exists() detects duplicates in both temporary and active rule lists.
> >
> > Signed-off-by: Tahera Fahimi <taherafahimi@linux.microsoft.com>
>
> Sorry for the delay in responding ...
>
> Before trying to fix the "problem", let's try to understand it first. At least
> on my test system (-rc5), kexec is working as designed. On boot, systemd
> replaces the existing builtin IMA policy with a custom IMA policy. The arch
> specific policies are not affected, as they are persistent. On a soft reboot
> (kexec), the IMA custom policy is re-loaded as expected.
>
> To verify the above behavior, extend the IMA policy before the soft reboot.
> Notice after the soft reboot that the original custom IMA policy is loaded and
> not the extended IMA policy. Roberto, if there is a problem with this behavior,
> we'll discuss it independently of this proposed patch.
>
> The question is why are you seeing duplicate IMA policy rules? What is special
> about your environment?
I'm now able to reproduce what you're seeing by executing "systemctl soft-
reboot". After each soft-reboot the custom IMA policy rules are re-loaded and
appended to the existing IMA policy. As Roberto mentioned, there is no option
to replace the existing custom IMA policy rules with a new custom policy. We
might consider doing so in the future, but for now the onus for not re-loading
the custom IMA policy should not be on IMA, but on systemd.
Reading the same securityfs policy file used for loading the IMA policy will
return the current IMA policy. systemd could detect whether the existing IMA
policy contains the custom policy rules, before actually loading them. There's
no reason for adding this functionality in the kernel.
--
thanks,
Mimi
prev parent reply other threads:[~2025-11-20 15:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 18:14 [Patch V1] ima: avoid duplicate policy rules insertions Tahera Fahimi
2025-11-06 20:32 ` Anirudh Venkataramanan
2025-11-10 19:06 ` Tahera Fahimi
2025-11-11 9:46 ` Roberto Sassu
2025-11-07 6:54 ` kernel test robot
2025-11-07 9:44 ` Roberto Sassu
2025-11-07 10:56 ` Lennart Poettering
2025-11-07 11:56 ` Roberto Sassu
2025-11-11 11:40 ` Mimi Zohar
2025-11-20 15:39 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f593c5f5882e8ed0d807376eefd4530462741d3.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=code@tyhicks.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mzxreary@0pointer.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=taherafahimi@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).