Menu
▾
▴
Re: [Linux-ima-user] [RFC][PATCH][2/2] ima: policy matching decision depends on the overall "ima_measure" list
|
From: Roberto S. <rob...@po...> - 2010-04-14 14:45:22
|
Yes, this definitely solves the issue and probably grants better performance since there are less iterations in the list. The only thing needed is that the policy writer must be aware to write rules in the right order. SELinux has the useful feature to modify the policy at runtime: in case of future versions of IMA will support dynamic policy loading, we can insert new rules using the "action" as sort key. On Wednesday 14 April 2010 15:26:47 Eric Paris wrote: > On Wed, Apr 14, 2010 at 5:52 AM, Roberto Sassu <rob...@po...> wrote: > > The "ima_policy_match" function has been modified to handle situations in > > a different manner: when two or more policies match criteria given, the > > MEASURE decision is taken if there are no rule with action DONT_MEASURE. > > > > Signed-off-by: Roberto Sassu <rob...@po...> > > Acked-by: Gianluca Ramunno <ra...@po...> > > Wouldn't it be better to just fix the rule ordering? If you want the > DONT_MEASURE rule to win put it first? > > -Eric |
