On Sat, 2020-11-21 at 00:50 +0000, KP Singh wrote: > From: KP Singh <[email protected]> > > - Update the IMA policy before executing the test binary (this is not an > override of the policy, just an append that ensures that hashes are > calculated on executions).
Assuming the builtin policy has been replaced with a custom policy and CONFIG_IMA_WRITE_POLICY is enabled, then yes the rule is appended. If a custom policy has not yet been loaded, loading this rule becomes the defacto custom policy. Even if a custom policy has been loaded, potentially additional measurements unrelated to this test would be included the measurement list. One way of limiting a rule to a specific test is by loopback mounting a file system and defining a policy rule based on the loopback mount unique uuid. Mimi
