[RFC PATCH] ima: require secure_boot rules in lockdown mode
David Howells
dhowells at redhat.com
Mon Oct 30 17:05:38 UTC 2017
Mimi Zohar <zohar at linux.vnet.ibm.com> wrote:
> > Did you mean "true" rather than "TRUE"?
>
> Yes, of course. Commit 9f4b6a254d7a "ima: Fix bool
> initialization/comparison" already addresses it. Please remove it
> from this patch.
Is that with James? I don't seem to have a copy, and I don't want to cause a
patch collision.
> > I guess also that oopsing is okay if the allocation fails. We've run out of
> > memory during early boot, after all.
>
> If the memory allocation fails, the "secure_boot" policy will not be
> enabled for custom policies, but how is that "oopsing".
Sorry - I overlooked the fact that the variable is not used if it's not zero.
> If it fails, there needs to be some indication of the failure, which there
> currently isn't. Perhaps also prevent loading a custom policy.
Does it need to panic (probably fine as a small memory alloc failed)? If it
doesn't set this policy what's the effect on things using
is_ima_appraise_enabled() - assuming we get that far?
David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list