All of lore.kernel.org
 help / color / mirror / Atom feed
From: prakhar srivastava <prsriva02@gmail.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Roberto Sassu <roberto.sassu@huawei.com>,
	vgoyal@redhat.com
Subject: Re: [PATCH V8 1/3] Define a new IMA hook to measure the boot command line arguments
Date: Fri, 14 Jun 2019 10:48:55 -0700	[thread overview]
Message-ID: <CAEFn8qJS7MHN5o0kRjr-0_aqy0xkpCttFEzrh_8+9qqBmK3MdA@mail.gmail.com> (raw)
In-Reply-To: <1560453720.4805.46.camel@linux.ibm.com>

On Thu, Jun 13, 2019 at 12:22 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Prakhar,
>
> Patches titles in the subject line need to be prefixed with the
> subsystem, in this case "ima: ".
>
> On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote:
> > This patch adds support in ima to measure kexec cmdline args
> > during soft reboot(kexec_file_load).
>
> Based on the patch title, the word "ima" is redundant.  Patch
> descriptions are suppose to be written in the third person. "This
> patch adds" is unnecessary.  Please review section 3 "Describe your
> changes" in Documentation/process/submitting-patches.rst.
>
> >
> > - A new ima hook ima_kexec_cmdline is defined to be called by the
> > kexec code.
> > - A new function process_buffer_measurement is defined to measure
> > the buffer hash into the ima log.
> > - A new func policy KEXEC_CMDLINE is defined to control the
> >  measurement.[Suggested by Mimi]
> >
> > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com>
>
>
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index fd9b01881d17..98e351e13557 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -292,6 +292,13 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> >  {
> >       int i;
> >
> > +     /* only incase of KEXEC_CMDLINE, inode is NULL */
> > +     if (func == KEXEC_CMDLINE) {
> > +             if ((rule->flags & IMA_FUNC) &&
> > +                     (rule->func == func) && (!inode))
>
> Thank you for fixing the other formatting issues.  Here's another one.
>  Is checking !inode needed?
Since i am adding a new type(buffer) for measurement, and only
one (file or buffer) can be passed in, this is guarding against passing
the func as KEXEC_CMDLINE for a file.
I will remove it, since the check will still return true/false, if the
rule doesn't
exist.

and fix other formatting issues.
Thanks,
- Prakhar Srivastava
> Mimi
>
> > +                     return true;
> > +             return false;
> > +     }
> >       if ((rule->flags & IMA_FUNC) &&
> >           (rule->func != func && func != POST_SETATTR))
> >               return false;
> >
>

  reply	other threads:[~2019-06-14 17:49 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-12 22:15 [PATCH V8 0/3] Add support for measuring the boot command line during kexec_file_load Prakhar Srivastava
2019-06-12 22:15 ` [PATCH V8 1/3] Define a new IMA hook to measure the boot command line arguments Prakhar Srivastava
2019-06-13 19:10   ` James Morris
2019-06-13 19:22   ` Mimi Zohar
2019-06-14 17:48     ` prakhar srivastava [this message]
2019-06-12 22:15 ` [PATCH V8 2/3] Define a new ima template field buf Prakhar Srivastava
2019-06-13 19:15   ` James Morris
2019-06-13 19:59   ` Mimi Zohar
2019-06-14 10:57     ` Mimi Zohar
2019-06-14 14:14       ` Mimi Zohar
2019-06-14 17:52         ` prakhar srivastava
2019-06-12 22:15 ` [PATCH V8 3/3] Call ima_kexec_cmdline to measure the cmdline args Prakhar Srivastava
2019-06-12 22:31   ` Mimi Zohar
2019-06-12 22:31     ` Mimi Zohar
2019-06-13  8:26     ` Dave Young
2019-06-13  8:26       ` Dave Young
2019-06-13 20:07       ` Mimi Zohar
2019-06-13 20:07         ` Mimi Zohar
2019-06-13 19:16   ` James Morris
2019-06-13 20:20   ` Mimi Zohar
2019-06-13 20:48 ` [PATCH V8 0/3] Add support for measuring the boot command line during kexec_file_load Mimi Zohar
2019-06-14 17:39   ` prakhar srivastava

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEFn8qJS7MHN5o0kRjr-0_aqy0xkpCttFEzrh_8+9qqBmK3MdA@mail.gmail.com \
    --to=prsriva02@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=vgoyal@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.