Menu
▾
▴
Re: [Linux-ima-user] [RFC][PATCH][0/2] IMA
|
From: Mimi Z. <zo...@li...> - 2010-04-14 22:20:10
|
On Wed, 2010-04-14 at 15:32 -0400, Eric Paris wrote: > On Wed, Apr 14, 2010 at 5:51 AM, Roberto Sassu <rob...@po...> wrote: > > Description of the issue: > > > The parsing function is used only when custom rules must be loaded to replace > > the default ones, but a different behavior can be observed in respect to the > > first case: only one element is allocated and it is populated by the parsing > > function that recognizes the tokens ' ' and '\n'. > > So, having multiple lines in the file passed through the exported interface > > doesn't lead to the same number of rules in the list, since only one allocated > > item is available. If a directive spans two different lines, only the last > > value is taken and the first one is overwritten. > > I admit I haven't looked at the loading code before and it does seem > 'special.' It looks to me on first glance like the kernel accepts > one rule per write() rather than one rule per line. If you send it > two rules in a single write you are going to get a rather > unpredictable result. Similar to smack, one rule per write. Keeps it nice and simple. > Your change is a good start to allow single writes which contain > multiple rules. I'm guessing that's a good idea, I though I think the > parser should get a little smarter. Does it ever make sense to have 2 > actions in a single rule, with the last one winning? You also added > support for some sort of commenting in the rule set didn't you? That > probably needs to be a lot stronger too.... > > I'm not acking or nacking here, just trying to understand exactly the > problem we are trying to solve. Loading rules using > > cat rule > /sys/kernel/security/ima/policy > > seems like a good direction to head. hm, I was under the impression we wanted to minimize any policy/configuration parsing done in the kernel. Mimi |
