[PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace

Stefan Berger stefanb at linux.ibm.com
Wed Feb 16 20:48:57 UTC 2022


On 2/16/22 11:39, Mimi Zohar wrote:
> On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote
>
> Let's update the patch description providing a bit more background
> info:
>
> The archictecture specific policy rules, currently defined for EFI and
> powerpc, require the kexec kernel image and kernel modules to be
> validly signed and measured, based on the system's secure boot and/or
> trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
>
>> Move the arch_policy_entry pointer into ima_namespace.
> Perhaps include something about namespaces being allowed or not allowed
> to kexec a new kernel or load kernel modules.

Namespaces are not allowed to kexec but special-casing the init_ima_ns 
in the code to handle namespaces differently makes it much harder to 
read the code. I would avoid special-casing init_ima_ns as much as 
possible and therefore I have moved the arch_policy_entry into the 
ima_namespace.

    Stefan


> thanks,
>
> Mimi
>> When freeing the memory set the pointer to NULL.
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
>> Acked-by: Christian Brauner <brauner at kernel.org>
>> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>



More information about the Linux-security-module-archive mailing list