[PATCH v5 15/16] ima: Move dentries into ima_namespace
Stefan Berger
stefanb at linux.ibm.com
Fri Dec 10 12:40:00 UTC 2021
On 12/10/21 07:09, Mimi Zohar wrote:
> On Fri, 2021-12-10 at 12:49 +0100, Christian Brauner wrote:
>>> There's still the problem that if you write the policy, making the file
>>> disappear then unmount and remount securityfs it will come back. My
>>> guess for fixing this is that we only stash the policy file reference,
>>> create it if NULL but then set the pointer to PTR_ERR(-EINVAL) or
>>> something and refuse to create it for that value.
>> Some sort of indicator that gets stashed in struct ima_ns that the file
>> does not get recreated on consecutive mounts. That shouldn't be hard to
>> fix.
> The policy file disappearing is for backwards compatibility, prior to
> being able to extend the custom policy. For embedded usecases,
> allowing the policy to be written exactly once might makes sense. Do
> we really want/need to continue to support removing the policy in
> namespaces?
I don't have an answer but should the behavior for the same #define in
this case be different for host and namespaces? Or should we just
'select IMA_WRITE_POLICY and IMA_READ_POLICY' when IMA_NS is selected?
>
> thanks,
>
> Mimi
>
More information about the Linux-security-module-archive
mailing list