From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Subject: Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys
Date: Wed, 27 Nov 2019 18:52:21 +0000 [thread overview]
Message-ID: <1574880741.4793.292.camel@linux.ibm.com> (raw)
In-Reply-To: <20191127015654.3744-6-nramas@linux.microsoft.com>
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -79,6 +79,7 @@ struct ima_rule_entry {
> int type; /* audit type */
> } lsm[MAX_LSM_RULES];
> char *fsname;
> + char *keyrings; /* Measure keys added to these keyrings */
> struct ima_template_desc *template;
> };
>
> @@ -356,6 +357,55 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> return NOTIFY_OK;
> }
>
> +/**
> + * ima_match_keyring - determine whether the keyring matches the measure rule
> + * @rule: a pointer to a rule
> + * @keyring: name of the keyring to match against the measure rule
> + *
> + * If the measure action for KEY_CHECK does not specify keyrings> + * option then return true (Measure all keys).
> + * Else, return true if the given keyring name is present in
> + * the keyrings= option. False, otherwise.
This is suppose to be a comment, not code or pseudo code. Please
refer to the section "Comments" in Documentation/process/coding-
style.rst.
> + */
> +static bool ima_match_keyring(struct ima_rule_entry *rule,
> + const char *keyring)
> +{
> + const char *p;
> +
> + /* If "keyrings=" is not specified all keys are measured. */
> + if (!rule->keyrings)
> + return true;
> +
> + if (!keyring)
> + return false;
> +
> + /*
> + * "keyrings=" is specified in the policy in the format below:
> + * keyrings=.builtin_trusted_keys|.ima|.evm
> + *
> + * Each keyring name in the option is separated by a '|' and
> + * the last keyring name is null terminated.
> + *
> + * The given keyring is considered matched only if
> + * the whole keyring name matched a keyring name specified
> + * in the "keyrings=" option.
> + */
> + p = strstr(rule->keyrings, keyring);
> + if (p) {
> + /*
> + * Found a substring match. Check if the character
> + * at the end of the keyring name is | (keyring name
> + * separator) or is the terminating null character.
> + * If yes, we have a whole string match.
> + */
> + p += strlen(keyring);
> + if (*p = '|' || *p = '\0')
> + return true;
> + }
> +
Using "while strsep()" would simplify this code, removing the need for
such a long comment.
Mimi
> + return false;
> +}
> +
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Subject: Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys
Date: Wed, 27 Nov 2019 13:52:21 -0500 [thread overview]
Message-ID: <1574880741.4793.292.camel@linux.ibm.com> (raw)
In-Reply-To: <20191127015654.3744-6-nramas@linux.microsoft.com>
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -79,6 +79,7 @@ struct ima_rule_entry {
> int type; /* audit type */
> } lsm[MAX_LSM_RULES];
> char *fsname;
> + char *keyrings; /* Measure keys added to these keyrings */
> struct ima_template_desc *template;
> };
>
> @@ -356,6 +357,55 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> return NOTIFY_OK;
> }
>
> +/**
> + * ima_match_keyring - determine whether the keyring matches the measure rule
> + * @rule: a pointer to a rule
> + * @keyring: name of the keyring to match against the measure rule
> + *
> + * If the measure action for KEY_CHECK does not specify keyrings=
> + * option then return true (Measure all keys).
> + * Else, return true if the given keyring name is present in
> + * the keyrings= option. False, otherwise.
This is suppose to be a comment, not code or pseudo code. Please
refer to the section "Comments" in Documentation/process/coding-
style.rst.
> + */
> +static bool ima_match_keyring(struct ima_rule_entry *rule,
> + const char *keyring)
> +{
> + const char *p;
> +
> + /* If "keyrings=" is not specified all keys are measured. */
> + if (!rule->keyrings)
> + return true;
> +
> + if (!keyring)
> + return false;
> +
> + /*
> + * "keyrings=" is specified in the policy in the format below:
> + * keyrings=.builtin_trusted_keys|.ima|.evm
> + *
> + * Each keyring name in the option is separated by a '|' and
> + * the last keyring name is null terminated.
> + *
> + * The given keyring is considered matched only if
> + * the whole keyring name matched a keyring name specified
> + * in the "keyrings=" option.
> + */
> + p = strstr(rule->keyrings, keyring);
> + if (p) {
> + /*
> + * Found a substring match. Check if the character
> + * at the end of the keyring name is | (keyring name
> + * separator) or is the terminating null character.
> + * If yes, we have a whole string match.
> + */
> + p += strlen(keyring);
> + if (*p == '|' || *p == '\0')
> + return true;
> + }
> +
Using "while strsep()" would simplify this code, removing the need for
such a long comment.
Mimi
> + return false;
> +}
> +
next prev parent reply other threads:[~2019-11-27 18:52 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 1:56 [PATCH v9 0/6] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 1:56 ` [PATCH v9 1/6] IMA: Check IMA policy flag Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 1:56 ` [PATCH v9 2/6] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 1:56 ` [PATCH v9 3/6] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 1:56 ` [PATCH v9 4/6] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 1:56 ` [PATCH v9 5/6] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 18:52 ` Mimi Zohar [this message]
2019-11-27 18:52 ` Mimi Zohar
2019-11-28 0:44 ` Lakshmi Ramasubramanian
2019-11-28 0:44 ` Lakshmi Ramasubramanian
2019-12-02 18:18 ` Mimi Zohar
2019-12-02 18:18 ` Mimi Zohar
2019-12-03 12:25 ` Mimi Zohar
2019-12-03 12:25 ` Mimi Zohar
2019-12-03 16:13 ` Lakshmi Ramasubramanian
2019-12-03 16:13 ` Lakshmi Ramasubramanian
2019-12-03 16:47 ` Mimi Zohar
2019-12-03 16:47 ` Mimi Zohar
2019-12-03 19:45 ` Lakshmi Ramasubramanian
2019-12-03 19:45 ` Lakshmi Ramasubramanian
2019-12-03 20:06 ` Mimi Zohar
2019-12-03 20:06 ` Mimi Zohar
2019-12-03 23:37 ` Lakshmi Ramasubramanian
2019-12-03 23:37 ` Lakshmi Ramasubramanian
2019-12-04 11:16 ` Mimi Zohar
2019-12-04 11:16 ` Mimi Zohar
2019-12-04 22:43 ` Lakshmi Ramasubramanian
2019-12-04 22:43 ` Lakshmi Ramasubramanian
2019-12-04 23:25 ` Mat Martineau
2019-12-04 23:25 ` Mat Martineau
2019-11-27 1:56 ` [PATCH v9 6/6] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
2019-11-27 1:56 ` Lakshmi Ramasubramanian
2019-11-27 19:32 ` Mimi Zohar
2019-11-27 19:32 ` Mimi Zohar
2019-11-27 22:05 ` Lakshmi Ramasubramanian
2019-11-27 22:05 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574880741.4793.292.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.