On Mon, 2015-06-01 at 10:05 -0400, Mimi Zohar wrote: > On Mon, 2015-06-01 at 14:02 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > On Mon, Jun 01, 2015 at 08:57:57AM -0400, Mimi Zohar wrote: > > > The original systemd IMA module loaded the IMA policy by mmaping the > > > file into memory and then writing the entire file to > > > <securityfs>/ima/policy. By changing this behavior of writing the > > > entire file, commit 4dfb18922d5d "ima-setup: simplify" broke IMA > > > policy loading. > > > > > > Please revert commit 4dfb18922d5d1efb13ee459cbf23832277f85ed7 and the > > > related hunk from commit 7430ec6ac08f2c0416d9f806964c46b30f3862b2. > > I'm pretty sure that whether the input file was mmaped or read using > > read() cannot influence the rresult.The difference must come from the > > way that the output file is written. Current code also eventually calls > > loop_write, except that it writes in chunks of COPY_BUFFER_SIZE (16*1024). > > Previous code tried to write everything in one go. Does the output > > file have to be written using one write() call? > > Yes
.. because splitting into chunks may truncate in the middle of an IMA rule, which then leads to parse errors (each write is parsed separately). That's the conceptual issue I had with the change. But as Mimi said, it's unlikely to hit in practice. What's failing is continuing with sendfile() or regular write() after the /sys virtual file has parsed the first line and reported back a partial write. See http://sourceforge.net/p/linux-ima/mailman/message/34145236/ for more information. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
