[PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings.
Mimi Zohar
zohar at linux.ibm.com
Tue Nov 12 17:58:29 UTC 2019
On Tue, 2019-11-12 at 09:43 -0800, Lakshmi Ramasubramanian wrote:
> On 11/12/2019 9:05 AM, Mimi Zohar wrote:
>
> > The C maximum line length is 80 characters. The subject line is even
> > less than that (~50). The Subject line here could be "ima: add
> > support to limit measuring keys".
> I'll update the subject line for the patches - limit to max 50 chars.
>
> >
> > On Mon, 2019-11-11 at 11:32 -0800, Lakshmi Ramasubramanian wrote:
> >> IMA policy needs to support measuring only those keys linked to
> >> a specific set of keyrings.
> >
> > Patch descriptions should be written in the imperative. For example,
> > "Limit measuring keys to those keys being loaded onto a specific
> > keyring."
> Will update.
>
> >
> >>
> >> This patch defines a new IMA policy option namely "keyrings=" that
> >> can be used to specify a set of keyrings. If this option is specified
> >> in the policy for func=KEYRING_CHECK then only the keys linked to
> >> the keyrings given in "keyrings=" option are measured.
> >
> > This description does not seem to match the code, which for some
> > reason isn't included in this patch, nor in 3/10. Please
> > combine/squash patches 2 & 3. Missing from the combined patch is the
> > keyring matching code in ima_match_rules().
>
> This patch defines "keyrings=" option in the IMA policy and adds the
> related field in ima_rule_entry struct.
>
> The code for updating the new field in ima_rule_entry is in patch #4
> [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings
> option read from the policy
That's the problem. The keyrings doesn't need to be returned, but
processed in ima_match_rules().
Mimi
More information about the Linux-security-module-archive
mailing list