Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

From: David Howells
Date: Mon Oct 30 2017 - 05:00:39 EST

Next message: Jan Kara: "Re: [PATCH v7 10/10] lib/dlock-list: Fix use-after-unlock problem in dlist_for_each_entry_safe()"
Previous message: Christian Borntraeger: "Re: [RFC 00/19] KVM: s390/crypto/vfio: guest dedicated crypto adapters"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> Yes, that works. ÂThanks! ÂRemember is_ima_appraise_enabled() is
> dependent on the "ima: require secure_boot rules in lockdown mode"
> patch -Âhttp://kernsec.org/pipermail/linux-security-module-archive/201
> 7-October/003910.html.

What happens if the file in question is being accessed from a filesystem that
doesn't have xattrs and doesn't provide support for appraisal? Is it rejected
outright or just permitted?

David

Next message: Jan Kara: "Re: [PATCH v7 10/10] lib/dlock-list: Fix use-after-unlock problem in dlist_for_each_entry_safe()"
Previous message: Christian Borntraeger: "Re: [RFC 00/19] KVM: s390/crypto/vfio: guest dedicated crypto adapters"
In reply to: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Next in thread: Mimi Zohar: "Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]