[LTP] [RFC PATCH v2 1/4] security/ima: Rewrite tests into new API + fixes
Petr Vorel
pvorel@suse.cz
Wed Apr 11 21:03:35 CEST 2018
Hi Mimi,
> > > > load_policy()
> > ...
> > > > cat $1 |
> > > > - while read line ; do
> > > > - {
> > > > - if [ "${line#\#}" = "${line}" ] ; then
> > > > - echo $line >&4 2> /dev/null
> > > > + while read line; do
> > > > + if [ "${line#\#}" = "${line}" ]; then
> > > > + echo "$line" >&4 2> /dev/null
> > > > if [ $? -ne 0 ]; then
> > > > exec 4>&-
> > > > return 1
> > > > fi
> > > > fi
> > > > - }
> > > Originally writing the policy was done one rule at a time, but hasn't
> > > been required for a long time. dracut and systemd 'cat' the policy
> > > directly to the pseudo file.
> > OK, let's simplify it to catting the content.
> Replacing the builtin policy with a new policy in the initramfs was
> considered safe. With commit 38d859f991f3 ("IMA: policy can now be
> updated multiple times") the policy can be extended multiple times,
> not only from the initramfs. For it to be safe to extend the IMA
> policy (eg. CONFIG_IMA_WRITE_POLICY), the policy must be signed.
> These tests assume the policy does not need to be signed.
Is it a good idea to expect that policy must be signed also for older kernels
(kernels before 4.5)?
> Mimi
Kind regards,
Petr
More information about the ltp
mailing list