Re: [Linux-ima-user] [PATCH v3 1/2] Allows for persistent IMA policy sysfs entry;

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 15-09-11 13:50:33, Mimi Zohar wrote:
> On Fri, 2015-09-11 at 19:54 +0300, Petko Manolov wrote:
> 
> > 
> > Actually it is a hard requirement in our usecase.  The last thing we want is 
> > somebody replacing the whole policy.  We may as well not have IMA enabled.
> 
> Glad to hear.  The prior policy patches that were posted replaced the policy.

If there are strong arguments for this we can always add a configuration option 
alternating between the two modes.

> > Last time i looked at this part of the code: the new policy will be accepted 
> > up to the faulty rule.  The rest will be ignored.
> 
> Is that safe?  I would prefer accepting all of the rules or nothing.  I don't 
> think it would be too hard to implement.  Perhaps, keep a pointer to the last 
> rule of the existing policy.  If there is a malformed rule, delete everything 
> from after the last existing policy rule.

No, it is not safe.  I was merely noting the current state of affairs.  What you 
suggest is the right thing to do and will be present in the next version of the 
patches.

> > In order to prevent this i've written user-space tool that generates 
> > syntactically correct rules.  However the issue must be addressed in some 
> > other way as wall.  Do you think it is worth to be more verbose when the 
> > parser runs into malformed rule?
> 
> It currently isn't easy to detect which rule is malformed.  Part of the 
> problem is that when there are too many messages, message are dropped. Adding 
> more messages might aggravate the situation.

There shouldn't be too many messages when rejecting new policy rule.

> With a patch for displaying the current policy, there's no need for displaying 
> the policies during boot or any other time that the policy is being extended.  
> We might then be able to actually see the malformed rule.  I'm pretty sure 
> someone has already posted an initial patch. [cc'ing linux-ima-user mailing 
> list]

This is also in my todo list, but i'd gladly take an existing patch.  It is also 
a good idea to make the 'read' property a configuration option.

		Petko