From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: ltp@lists.linux.it
Subject: [LTP] [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes
Date: Wed, 11 Apr 2018 16:03:33 -0400 [thread overview]
Message-ID: <1523477013.5268.72.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180411190335.GB25859@x230>
On Wed, 2018-04-11 at 21:03 +0200, Petr Vorel wrote:
> Hi Mimi,
> > > > > load_policy()
> > > ...
> > > > > cat $1 |
> > > > > - while read line ; do
> > > > > - {
> > > > > - if [ "${line#\#}" = "${line}" ] ; then
> > > > > - echo $line >&4 2> /dev/null
> > > > > + while read line; do
> > > > > + if [ "${line#\#}" = "${line}" ]; then
> > > > > + echo "$line" >&4 2> /dev/null
> > > > > if [ $? -ne 0 ]; then
> > > > > exec 4>&-
> > > > > return 1
> > > > > fi
> > > > > fi
> > > > > - }
>
> > > > Originally writing the policy was done one rule at a time, but hasn't
> > > > been required for a long time. dracut and systemd 'cat' the policy
> > > > directly to the pseudo file.
> > > OK, let's simplify it to catting the content.
>
> > Replacing the builtin policy with a new policy in the initramfs was
> > considered safe. With commit 38d859f991f3 ("IMA: policy can now be
> > updated multiple times") the policy can be extended multiple times,
> > not only from the initramfs. For it to be safe to extend the IMA
> > policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.
>
> > These tests assume the policy does not need to be signed.
> Is it a good idea to expect that policy must be signed also for older kernels
> (kernels before 4.5)?
The ability to sign the policy file was introduced with commit 7429b09
("ima: load policy using path"). According to "git branch --
contains", it was upstreamed in linux-4.6.
Mimi
next prev parent reply other threads:[~2018-04-11 20:03 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-14 15:57 [LTP] [RFC PATCH v2 0/4] Rewrite tests into new API + fixes Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 1/4] security/ima: " Petr Vorel
2018-03-14 16:32 ` Petr Vorel
2018-03-27 19:12 ` Mimi Zohar
2018-03-29 8:59 ` Petr Vorel
2018-04-10 15:56 ` Mimi Zohar
2018-04-11 19:03 ` Petr Vorel
2018-04-11 20:03 ` Mimi Zohar [this message]
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 2/4] security/ima: Run measurements after policy Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 3/4] ima/ima_boot_aggregate: Increase MAX_EVENT_SIZE to 8k Petr Vorel
2018-03-27 19:44 ` Mimi Zohar
2018-03-27 22:23 ` George Wilson
2018-03-29 6:18 ` Petr Vorel
2018-03-14 15:57 ` [LTP] [RFC PATCH v2 4/4] ima/tpm: Various fixes Petr Vorel
2018-03-26 22:31 ` [LTP] [RFC PATCH v2 0/4] Rewrite tests into new API + fixes Mimi Zohar
2018-03-27 9:22 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1523477013.5268.72.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox