| Message ID | 20211227145203.88857-1-bmeneg@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v3] ima: silence measurement list hexdump during kexec | expand |
On Mon, 2021-12-27 at 11:52 -0300, Bruno Meneguele wrote: > The measurement list is being dumped during soft resets (kexec) through the > call to print_hex_dump(KERN_DEBUG, ...) without considering the DEBUG > compilation flag. With that, to avoid dumping this information to the system > log whenever a soft reset happens during boot process, since the default > console loglevel is generally set to 7 (debug) during boot, guard the call > to print_hex_dump() with #ifdef for the DEBUG cflag. The patch description needs to be rewritten/simplified. If the only problem is that "the console loglevel is generally set to 7 (debug)", why not begin with the patch description with that? Other things to consider including in the patch description: - any side effects of the change (e.g. ability to dynamically enable output)? thanks, Mimi
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index f799cc278a9a..2d6db5fbda41 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -61,9 +61,11 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, } memcpy(file.buf, &khdr, sizeof(khdr)); +#if defined(DEBUG) print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE, 16, 1, file.buf, file.count < 100 ? file.count : 100, true); +#endif *buffer_size = file.count; *buffer = file.buf;
The measurement list is being dumped during soft resets (kexec) through the call to print_hex_dump(KERN_DEBUG, ...) without considering the DEBUG compilation flag. With that, to avoid dumping this information to the system log whenever a soft reset happens during boot process, since the default console loglevel is generally set to 7 (debug) during boot, guard the call to print_hex_dump() with #ifdef for the DEBUG cflag. Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> --- Changelog: - v2: guard call with #ifdef instead of using print_hex_dump_debug, which would not completely solve the case. - v1: update commit log with more information. security/integrity/ima/ima_kexec.c | 2 ++ 1 file changed, 2 insertions(+)