Re: [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels

From: Christian Brauner
Date: Wed Jan 26 2022 - 03:38:28 EST

Next message: Miles Chen: "Re: [PATCH 30/31] clk: mediatek: mt8195: Implement remove functions"
Previous message: Miles Chen: "Re: [PATCH 29/31] clk: mediatek: mt8195: Implement error handling in probe functions"
In reply to: Stefan Berger: "[PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels"
Next in thread: Mimi Zohar: "Re: [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
>
> Before printing a policy rule scan for inactive LSM labels in the policy
> rule. Inactive LSM labels are identified by args_p != NULL and
> rule == NULL.
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")

That commit message of the referenced patch reads:

"Don't do lazy policy updates while running the rule matching, run the
updates as they happen."

and given that we had a lengthy discussion how to update the rules I'd
really would have liked an explanation why the update needs to run
immediately. Not doing it lazily is the whole reason we have this
notifier infra. Why can't this be done lazily?

Next message: Miles Chen: "Re: [PATCH 30/31] clk: mediatek: mt8195: Implement remove functions"
Previous message: Miles Chen: "Re: [PATCH 29/31] clk: mediatek: mt8195: Implement error handling in probe functions"
In reply to: Stefan Berger: "[PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels"
Next in thread: Mimi Zohar: "Re: [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]