[PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace
Mimi Zohar
zohar at linux.ibm.com
Wed Feb 16 20:56:44 UTC 2022
On Wed, 2022-02-16 at 15:48 -0500, Stefan Berger wrote:
> On 2/16/22 11:39, Mimi Zohar wrote:
> > On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote
> >
> > Let's update the patch description providing a bit more background
> > info:
> >
> > The archictecture specific policy rules, currently defined for EFI and
> > powerpc, require the kexec kernel image and kernel modules to be
> > validly signed and measured, based on the system's secure boot and/or
> > trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
> >
> >> Move the arch_policy_entry pointer into ima_namespace.
> > Perhaps include something about namespaces being allowed or not allowed
> > to kexec a new kernel or load kernel modules.
>
> Namespaces are not allowed to kexec but special-casing the init_ima_ns
> in the code to handle namespaces differently makes it much harder to
> read the code. I would avoid special-casing init_ima_ns as much as
> possible and therefore I have moved the arch_policy_entry into the
> ima_namespace.
Please include this in the patch description, but re-write the last
line in the 3rd person, like:
To avoid special-casing init_ima_ns, as much as possible, move the
arch_policy_entry into the ima_namespace.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list