[PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

nconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=appraise_data cause=missing-hash comm=bash name=/usr/bin/evmctl dev="dm-0" ino=493150 res=no Cc: sta...@vger.kernel.org Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86") Signed-off-by: Bruno Men

Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote: > On Thu, 2020-07-09 at 13:46 -0300, Bruno Meneguele wrote: > > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile > > time, enforcing the appraisal whenever the kernel had the arch policy opt

Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Fri, Jul 10, 2020 at 03:03:38PM -0300, Bruno Meneguele wrote: > On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote: > > On Thu, 2020-07-09 at 13:46 -0300, Bruno Meneguele wrote: > > > APPRAISE_BOOTPARAM has been marked as dependent on !ARCH_POLICY in compile > &g

Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Fri, Jul 10, 2020 at 02:54:48PM -0400, Mimi Zohar wrote: > On Fri, 2020-07-10 at 15:34 -0300, Bruno Meneguele wrote: > > On Fri, Jul 10, 2020 at 03:03:38PM -0300, Bruno Meneguele wrote: > > > On Fri, Jul 10, 2020 at 01:23:24PM -0400, Mimi Zohar wrote: > > > > On

Re: [PATCH v5] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Fri, Jul 10, 2020 at 04:25:16PM -0300, Bruno Meneguele wrote: > On Fri, Jul 10, 2020 at 02:54:48PM -0400, Mimi Zohar wrote: > > On Fri, 2020-07-10 at 15:34 -0300, Bruno Meneguele wrote: > > > On Fri, Jul 10, 2020 at 03:03:38PM -0300, Bruno Meneguele wrote: > > > >

[PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

f64 ("x86/ima: define arch_get_ima_policy() for x86") Signed-off-by: Bruno Meneguele --- v6: - explictly print the bootparam being ignored to the user (Mimi) v5: - add pr_info() to inform user the ima_appraise= boot param is being ignored due to secure boot enabled (Nayna) - add

Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Mon, Jul 13, 2020 at 01:48:30PM -0300, Bruno Meneguele wrote: > The IMA_APPRAISE_BOOTPARAM config allows enabling different "ima_appraise=" > modes - log, fix, enforce - at run time, but not when IMA architecture > specific policies are enabled.  This prevents properly labeli

Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote: > On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote: > > On 7/13/20 12:48 PM, Bruno Meneguele wrote: > > > The IMA_APPRAISE_BOOTPARAM config allows enabling different > > > "ima_appraise=" > > >

Re: [PATCH v6] ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime

On Tue, Jul 21, 2020 at 01:26:16PM -0400, Mimi Zohar wrote: > On Mon, 2020-07-20 at 12:38 -0300, Bruno Meneguele wrote: > > On Mon, Jul 20, 2020 at 10:56:55AM -0400, Mimi Zohar wrote: > > > On Mon, 2020-07-20 at 10:40 -0400, Nayna wrote: > > > > On 7/13/20 1