Return same written policy to user space

[robertosassu]

Currently, IMA converts the policy string sent by user space into parsed rules, suitable for policy matching. It also supports a read method, which takes the parsed rules and converts them back to a policy string.

However, the problem is that during the original policy parsing some information are lost, such as comments and the order in which fields appear in a rule. This results in returning to user space a policy which is different from the one that was originally loaded. Returning the same policy would be useful for detecting duplicate policy load (such as in the case of systemd soft-reboot).

This issue keeps track of the efforts to modify the IMA policy code to return the original policy string.

[robertosassu]

@mimizohar

[mimizohar]

We discussed in the past returning the same policy rule format as were loaded. The impetus for opening this issue now is to simplify "ima: avoid duplicate policy rules insertions" patch.

The new systemd soft-reboot service re-loads the custom IMA policy rules, unnecessarily duplicating the custom IMA policy rules. Detecting and preventing re-loading the IMA custom policy should be in systemd, not the kernel. The kernel can help by returning the policy rules in the same format as were originally loaded.