From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 4/5] IMA: Add support to limit measuring keys
Date: Thu, 14 Nov 2019 14:37:17 +0000 [thread overview]
Message-ID: <1573742237.4793.30.camel@linux.ibm.com> (raw)
In-Reply-To: <20191114031202.18012-5-nramas@linux.microsoft.com>
On Wed, 2019-11-13 at 19:12 -0800, Lakshmi Ramasubramanian wrote:
> +/**
> + * ima_match_keyring - determine whether the keyring matches the measure rule
> + * @rule: a pointer to a rule
> + * @keyring: name of the keyring to match against the measure rule
> + *
> + * If the measure action for KEY_CHECK does not specify keyrings> + * option then return true (Measure all keys).
> + * Else, return true if the given keyring name is present in
> + * the keyrings= option. False, otherwise.
> + */
> +static bool ima_match_keyring(struct ima_rule_entry *rule,
> + const char *keyring)
> +{
> + if ((keyring = NULL) || (rule->keyrings = NULL)
> + return true;
If the policy requires matching a specific keyring, then the "keyring"
needs to match. The logic, here, isn't quite right.
> + else
> + return (strstr(rule->keyrings, keyring) != NULL);
if (rule->keyrings) {
if (!keyring)
return false;
return (strstr(rule->keyrings, keyring) != NULL);
}
return true;
Keyrings may be created by userspace with any name (e.g. foo, foobar,
...). A keyring name might be a subset of another keyring name. For
example, with the policy "keyrings=foobar", keys being loaded on "foo"
would also be measured. Using strstr() will not achieve what is
needed.
Mimi
> +}
> +
> /**
> * ima_match_rules - determine whether an inode matches the measure rule.
> * @rule: a pointer to a rule
> @@ -364,18 +384,23 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> * @secid: the secid of the task to be validated
> * @func: LIM hook identifier
> * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> + * @keyring: keyring name to check in policy for KEY_CHECK func
> *
> * Returns true on rule match, false on failure.
> */
> static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> const struct cred *cred, u32 secid,
> - enum ima_hooks func, int mask)
> + enum ima_hooks func, int mask,
> + const char *keyring)
> {
> int i;
>
> if ((func = KEXEC_CMDLINE) || (func = KEY_CHECK)) {
> - if ((rule->flags & IMA_FUNC) && (rule->func = func))
> + if ((rule->flags & IMA_FUNC) && (rule->func = func)) {
> + if (func = KEY_CHECK)
> + return ima_match_keyring(rule, keyring);
> return true;
> + }
> return false;
> }
> if ((rule->flags & IMA_FUNC) &&
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 4/5] IMA: Add support to limit measuring keys
Date: Thu, 14 Nov 2019 09:37:17 -0500 [thread overview]
Message-ID: <1573742237.4793.30.camel@linux.ibm.com> (raw)
In-Reply-To: <20191114031202.18012-5-nramas@linux.microsoft.com>
On Wed, 2019-11-13 at 19:12 -0800, Lakshmi Ramasubramanian wrote:
> +/**
> + * ima_match_keyring - determine whether the keyring matches the measure rule
> + * @rule: a pointer to a rule
> + * @keyring: name of the keyring to match against the measure rule
> + *
> + * If the measure action for KEY_CHECK does not specify keyrings=
> + * option then return true (Measure all keys).
> + * Else, return true if the given keyring name is present in
> + * the keyrings= option. False, otherwise.
> + */
> +static bool ima_match_keyring(struct ima_rule_entry *rule,
> + const char *keyring)
> +{
> + if ((keyring == NULL) || (rule->keyrings == NULL)
> + return true;
If the policy requires matching a specific keyring, then the "keyring"
needs to match. The logic, here, isn't quite right.
> + else
> + return (strstr(rule->keyrings, keyring) != NULL);
if (rule->keyrings) {
if (!keyring)
return false;
return (strstr(rule->keyrings, keyring) != NULL);
}
return true;
Keyrings may be created by userspace with any name (e.g. foo, foobar,
...). A keyring name might be a subset of another keyring name. For
example, with the policy "keyrings=foobar", keys being loaded on "foo"
would also be measured. Using strstr() will not achieve what is
needed.
Mimi
> +}
> +
> /**
> * ima_match_rules - determine whether an inode matches the measure rule.
> * @rule: a pointer to a rule
> @@ -364,18 +384,23 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> * @secid: the secid of the task to be validated
> * @func: LIM hook identifier
> * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> + * @keyring: keyring name to check in policy for KEY_CHECK func
> *
> * Returns true on rule match, false on failure.
> */
> static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> const struct cred *cred, u32 secid,
> - enum ima_hooks func, int mask)
> + enum ima_hooks func, int mask,
> + const char *keyring)
> {
> int i;
>
> if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) {
> - if ((rule->flags & IMA_FUNC) && (rule->func == func))
> + if ((rule->flags & IMA_FUNC) && (rule->func == func)) {
> + if (func == KEY_CHECK)
> + return ima_match_keyring(rule, keyring);
> return true;
> + }
> return false;
> }
> if ((rule->flags & IMA_FUNC) &&
next prev parent reply other threads:[~2019-11-14 14:37 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 3:11 [PATCH v7 0/5] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-14 3:11 ` Lakshmi Ramasubramanian
2019-11-14 3:11 ` [PATCH v7 1/5] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-14 3:11 ` Lakshmi Ramasubramanian
2019-11-14 3:11 ` [PATCH v7 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-14 3:11 ` Lakshmi Ramasubramanian
2019-11-14 18:30 ` Lakshmi Ramasubramanian
2019-11-14 18:30 ` Lakshmi Ramasubramanian
2019-11-14 3:12 ` [PATCH v7 3/5] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-14 3:12 ` Lakshmi Ramasubramanian
2019-11-14 14:54 ` Mimi Zohar
2019-11-14 14:54 ` Mimi Zohar
2019-11-14 18:24 ` Lakshmi Ramasubramanian
2019-11-14 18:24 ` Lakshmi Ramasubramanian
2019-11-15 13:14 ` Mimi Zohar
2019-11-15 13:14 ` Mimi Zohar
2019-11-14 3:12 ` [PATCH v7 4/5] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-14 3:12 ` Lakshmi Ramasubramanian
2019-11-14 14:37 ` Mimi Zohar [this message]
2019-11-14 14:37 ` Mimi Zohar
2019-11-14 18:18 ` Lakshmi Ramasubramanian
2019-11-14 18:18 ` Lakshmi Ramasubramanian
2019-11-14 3:12 ` [PATCH v7 5/5] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
2019-11-14 3:12 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573742237.4793.30.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.