On Mon, 2015-05-11 at 15:42 +0200, Patrick Ohly wrote: > Note that there is no kernel output at all when loading the policy > (neither on success nor when it fails the signature check). Some more > verbosity would have been useful. At least I couldn't figure out whether > the kernel even tried to load the policy. Even with the .sig file in > place and ima_load as boot parameter, the policy still doesn't get > loaded.
After adding some more output to the kernel I figured out why it didn't work: the IMA_LOAD_POLICY kernel feature depends on a "IMA_POLICY_LOADER" config option which does not exist (and never has, at least not in the public kernel tree). Therefore IMA_LOAD_POLICY cannot be enabled and the kernel code isn't actually active. The attached patch fixes that, and now it works for me. However, I'm really scratching my head. How did policy loading work for you when you wrote the Tizen Wiki instructions? How could it happen that unusable code went into both systemd and the Linux kernel? And finally, why has no-one noticed before? Am I really the first one who actually tries to use the official upstream code? -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter.
From b087eadb1a932eb4bb4468cf84d6b85b05d06070 Mon Sep 17 00:00:00 2001 From: Patrick Ohly <[email protected]> Date: Tue, 12 May 2015 01:39:00 -0700 Subject: [PATCH] ima: fix configuration of policy loading IMA_POLICY_REPLACEABLE and IMA_LOAD_POLICY depend on IMA_POLICY_LOADER, which did not exist. As a result it was impossible to enable these two options. Signed-off-by: Patrick Ohly <[email protected]> --- security/integrity/ima/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index b31e3f7..2834cb2 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -158,6 +158,13 @@ config IMA_APPRAISE_SIGNED_INIT help This option requires user-space init to be signed. +config IMA_POLICY_LOADER + bool "IMA policy loading" + default n + help + Enabling this option grants controll over a variety of + options related to loading policy rules from files. + config IMA_POLICY_REPLACEABLE bool "Allows to replace policy at runtime" depends on IMA_POLICY_LOADER -- 1.8.4.5
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
