[PATCH 2/2] ipe: also reject policy updates with the same version
Fan Wu
wufan at linux.microsoft.com
Tue Sep 24 16:32:51 UTC 2024
On 9/23/2024 2:48 PM, Luca Boccassi wrote:
> On Mon, 23 Sept 2024 at 20:01, Fan Wu <wufan at linux.microsoft.com> wrote:
>>
>>
>>
...
>> Hi Luca,
>>
>> Can you elaborate more about the potential confusion for the userspace
>> users?
>>
>> The policy version is currently used to prevent the activation of
>> outdated or vulnerable policies (e.g., to avoid activating a policy
>> trusting a compromised device). The version is not incremented unless a
>> vulnerability is identified. Essentially, version comparison acts as a
>> minimum threshold, ensuring only policies that meet or exceed this
>> version can be activated.
>
> "Version" suggests something that is bumped every time there is a
> change, that's usually what the term is used for. The fact that one
> can change the policy without changing the version confused me a lot.
> Perhaps it should be renamed to "generation" or so, to make it more
> clear that it is not intended to be changed every time, but just to
> signal the start of a new generation to avoid downgrade attacks?
>
I’m inclined to keep the 'version' name, but I agree with your point.
Requiring a newer version for policy updates makes sense to me. As for
the version check in ipe_set_active_pol(), we can maintain the current
behavior, allowing the version to continue serving as a minimum
threshold for activating a policy. In this case, I think the only change
needed for this patch is to update the documentation for the `update`
operation.
-Fan
More information about the Linux-security-module-archive
mailing list