This repository was archived by the owner on Jan 15, 2025. It is now read-only.
ima: various fixes #283
Merged
ima: various fixes #283
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
No functional changes, it's just clearer.
Now, there is high alignment between ostree and EVM around ensuring that the security xattrs are immutable/signed too; but as I understand things, this attribute is really intended to be machine-local.
A use case here is where rpm-ostree may propagate existing IMA signatures from RPMs, but one wants to add signatures for other files that aren't signed (for example, the RPM database and non-packaged files).
It's cleaner and more efficient.
Change the mapping function to be "pure" and not have side effects on a cache, moving the cache mutation outside. Prep for possible parallelization.
cgwalters
force-pushed
the
ima-sign-enhancements
branch
from
6911f7d to
06583e7
Compare
lucab
approved these changes
Apr 19, 2022
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
Apr 21, 2022
Now that the fixed code for `ima-sign` landed in ostreedev/ostree-rs-ext#283
cgwalters
added a commit
to cgwalters/ostree
that referenced
this pull request
Oct 11, 2022
Now that the fixed code for `ima-sign` landed in ostreedev/ostree-rs-ext#283
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ima: Clarify that key is a path
No functional changes, it's just clearer.
ima: Only do IMA signatures, not EVM
Now, there is high alignment between ostree and EVM around ensuring
that the security xattrs are immutable/signed too; but
as I understand things, this attribute is really intended to be
machine-local.
ima: Don't overwrite existing signatures by default
A use case here is where rpm-ostree may propagate existing IMA
signatures from RPMs, but one wants to add signatures for other
files that aren't signed (for example, the RPM database and non-packaged
files).
ima: Use an ostree transaction
It's cleaner and more efficient.