[PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Thu Nov 7 02:20:11 UTC 2019
On 11/6/19 2:44 PM, Mimi Zohar wrote:
Hi Mimi,
>> +
>> + if (ima_initialized) {
>
> ima_initialized is being set in ima_init(), before a custom policy is
> loaded. I would think that is too early. ima_update_policy() is
> called after loading a custom policy. Please see how to detect when a
> custom policy is loaded.
ima_init_policy() is called before ima_initialized flag is set.
As far as I understand ima_init_policy() loads custom policies as well.
So custom policies (such as arch specific policies, secure boot
policies, etc.) are loaded before the queued keys are processed.
But if CONFIG_IMA_WRITE_POLICY is enabled, the policy can be updated
anytime. This scenario is not handled in my implementation.
Please correct me if my understanding is wrong.
thanks,
-lakshmi
More information about the Linux-security-module-archive
mailing list