[PATCH 2/2] ipe: also reject policy updates with the same version
Luca Boccassi
luca.boccassi at gmail.com
Wed Sep 25 20:43:01 UTC 2024
On Tue, 24 Sept 2024 at 18:32, Fan Wu <wufan at linux.microsoft.com> wrote:
>
>
>
> On 9/23/2024 2:48 PM, Luca Boccassi wrote:
> > On Mon, 23 Sept 2024 at 20:01, Fan Wu <wufan at linux.microsoft.com> wrote:
> >>
> >>
> >>
> ...
> >> Hi Luca,
> >>
> >> Can you elaborate more about the potential confusion for the userspace
> >> users?
> >>
> >> The policy version is currently used to prevent the activation of
> >> outdated or vulnerable policies (e.g., to avoid activating a policy
> >> trusting a compromised device). The version is not incremented unless a
> >> vulnerability is identified. Essentially, version comparison acts as a
> >> minimum threshold, ensuring only policies that meet or exceed this
> >> version can be activated.
> >
> > "Version" suggests something that is bumped every time there is a
> > change, that's usually what the term is used for. The fact that one
> > can change the policy without changing the version confused me a lot.
> > Perhaps it should be renamed to "generation" or so, to make it more
> > clear that it is not intended to be changed every time, but just to
> > signal the start of a new generation to avoid downgrade attacks?
> >
>
> I’m inclined to keep the 'version' name, but I agree with your point.
> Requiring a newer version for policy updates makes sense to me. As for
> the version check in ipe_set_active_pol(), we can maintain the current
> behavior, allowing the version to continue serving as a minimum
> threshold for activating a policy. In this case, I think the only change
> needed for this patch is to update the documentation for the `update`
> operation.
>
> -Fan
Sure, just sent v2 with the doc update, thanks.
More information about the Linux-security-module-archive
mailing list