Subject: Re: [PATCH] IMA: policy can be updated zero times
To: Petko Manolov <petkan@mip-labs.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>
References: <1450792283-8702-1-git-send-email-sasha.levin@oracle.com>
 <1450814188.2774.9.camel@linux.vnet.ibm.com>
 <31A92AAB-5516-4176-A947-128CB65B6931@mip-labs.com>
Cc: dmitry.kasatkin@gmail.com, james.l.morris@oracle.com, serge@hallyn.com,
        linux-ima-devel@lists.sourceforge.net,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
From: Sasha Levin <sasha.levin@oracle.com>
Message-ID: <5679C589.1060102@oracle.com>
Date: Tue, 22 Dec 2015 16:50:01 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <31A92AAB-5516-4176-A947-128CB65B6931@mip-labs.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 864
Lines: 18

On 12/22/2015 04:40 PM, Petko Manolov wrote:
>> Thanks, Sasha.  By the time ima_update_policy() is called
>> >ima_release_policy() has already output the policy update status
>> >message.  I guess an empty policy could be considered a valid policy.
>> >Could you add a msg indicating that the new policy was empty?
> 
> As far as I can say we can't get to ima_update_policy() with empty ima_temp_rules because ima_write_policy() will set valid_policy to 0 in case of an empty rule.  I'll double check it tomorrow, but please you do that too.

This is based on an actual crash rather than code analysis.


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/