[PATCH v0] KEYS: Security LSM Hook for key_create_or_update

[Lakshmi Ramasubramanian]

On 10/18/19 1:25 PM, Casey Schaufler wrote:

>> Problem Statement:
>> key_create_or_update function currently does not have
>> a security LSM hook. The hook is needed to allow security
>> subsystems to use key create or update information.
> 
> What security module(s) do you expect to use this?

SELinux is one that I can think of - it has hooks for key_alloc, 
key_free, etc. But does not have one for key_create_or_update.
> IMA is not a Linux Security Module.

Agree. But ima utilizes LSM to hook into system operations (such as 
read_file given below).
int security_kernel_post_read_file(struct file *file, char *buf,
                                    loff_t size,
				   enum kernel_read_file_id id)
{
	int ret;

	ret = call_int_hook(kernel_post_read_file, 0, file,
                             buf, size, id);
	if (ret)
		return ret;
	return ima_post_read_file(file, buf, size, id);
}

I am currently working on an ima function to measure keys. The change 
set I have submitted today is in preparation for that.
> You don't have a security module that provides this hook.
> We don't accept interfaces without users.

Like I have mentioned above, that change in ima will be submitted for 
review shortly.

If you have suggestions for a better way to hook into key create\update 
that ima can use to measure keys, I'll be happy to investigate that.

thanks,
  -lakshmi