Menu
▾
▴
Re: [Linux-ima-user] [RFC][PATCH][0/2] IMA
|
From: Eric P. <ep...@pa...> - 2010-04-14 19:32:56
|
On Wed, Apr 14, 2010 at 5:51 AM, Roberto Sassu <rob...@po...> wrote: > Description of the issue: > The parsing function is used only when custom rules must be loaded to replace > the default ones, but a different behavior can be observed in respect to the > first case: only one element is allocated and it is populated by the parsing > function that recognizes the tokens ' ' and '\n'. > So, having multiple lines in the file passed through the exported interface > doesn't lead to the same number of rules in the list, since only one allocated > item is available. If a directive spans two different lines, only the last > value is taken and the first one is overwritten. I admit I haven't looked at the loading code before and it does seem 'special.' It looks to me on first glance like the kernel accepts one rule per write() rather than one rule per line. If you send it two rules in a single write you are going to get a rather unpredictable result. Your change is a good start to allow single writes which contain multiple rules. I'm guessing that's a good idea, I though I think the parser should get a little smarter. Does it ever make sense to have 2 actions in a single rule, with the last one winning? You also added support for some sort of commenting in the rule set didn't you? That probably needs to be a lot stronger too.... I'm not acking or nacking here, just trying to understand exactly the problem we are trying to solve. Loading rules using cat rule > /sys/kernel/security/ima/policy seems like a good direction to head. |
