On 15-12-22 16:50:01, Sasha Levin wrote: > On 12/22/2015 04:40 PM, Petko Manolov wrote: > >> Thanks, Sasha. By the time ima_update_policy() is called > >> >ima_release_policy() has already output the policy update status > >> >message. I guess an empty policy could be considered a valid policy. > >> >Could you add a msg indicating that the new policy was empty? > > > > As far as I can say we can't get to ima_update_policy() with empty > > ima_temp_rules because ima_write_policy() will set valid_policy to 0 in > > case > > of an empty rule. I'll double check it tomorrow, but please you do that > > too. > > This is based on an actual crash rather than code analysis.
I was able to reproduce the crash with: echo "" > /sys/kernel/security/ima/policy It turns out ima_parse_add_rule() returns 1, even though the string is empty This logic may be part of "empty policy is a valid policy" or something else. As it is more dangerous to change the behavior at this point i assume your patch is the right solution for the problem. Acked-by: Petko Manolov <pet...@mip-labs.com> Mimi, shall we change ima_parse_add_rule's behavior in the future or it's too much work? cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
