[RFC PATCH] ima: require secure_boot rules in lockdown mode
Mimi Zohar
zohar at linux.vnet.ibm.com
Mon Oct 30 17:00:27 UTC 2017
On Mon, 2017-10-30 at 15:55 +0000, David Howells wrote:
> I've added this into my series as the third patch, but:
>
> Mimi Zohar <zohar at linux.vnet.ibm.com> wrote:
>
> > + ima_use_appraise_tcb = TRUE;
>
> Did you mean "true" rather than "TRUE"?
Yes, of course. Commit 9f4b6a254d7a "ima: Fix bool
initialization/comparison" already addresses it. Please remove it
from this patch.
>
> > + entry = kzalloc(sizeof(*entry), GFP_KERNEL);
> > + if (entry) {
> > + memcpy(entry, &secure_boot_rules[i],
> > + sizeof(*entry));
>
> kmemdup()?
Probably
>
> I guess also that oopsing is okay if the allocation fails. We've run out of
> memory during early boot, after all.
If the memory allocation fails, the "secure_boot" policy will not be
enabled for custom policies, but how is that "oopsing". If it fails,
there needs to be some indication of the failure, which there
currently isn't. Perhaps also prevent loading a custom policy.
>
> > + INIT_LIST_HEAD(&entry->list);
> > + list_add_tail(&entry->list, &ima_policy_rules);
>
> Isn't the init redundant, given the following line?
ok
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list