[PATCH v4 2/6] IMA: conditionally allow empty rule data

Tushar Sugandhi tusharsu at linux.microsoft.com
Fri Oct 23 22:39:29 UTC 2020



On 2020-10-22 1:38 p.m., Mimi Zohar wrote:
> Hi Tushar,
> 
> On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:
>> ima_match_rule_data() permits the func to pass empty func_data.
>> For instance, for the following func, the func_data keyrings= is
>> optional.
>>      measure func=KEY_CHECK keyrings=.ima
>>
>> But a new func in future may want to constrain the func_data to
>> be non-empty.  ima_match_rule_data() should support this constraint
>> and it shouldn't be hard-coded in ima_match_rule_data().
>>
>> Update ima_match_rule_data() to conditionally allow empty func_data
>> for the func that needs it.
>>
>> Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
> 
> Policy rules may constrain what is measured, but that decision should
> be left to the system owner or admin.
> 
> Mimi
> 
Agreed. As you mentioned in the patch 5/6 of this series,
I will get rid of this patch.

~Tushar



More information about the Linux-security-module-archive mailing list