From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org,
Janne Karhunen <janne.karhunen@gmail.com>
Subject: Re: [PATCH v0 1/2] IMA: Defined queue functions
Date: Wed, 27 Nov 2019 15:38:57 -0500 [thread overview]
Message-ID: <1574887137.4793.346.camel@linux.ibm.com> (raw)
In-Reply-To: <20191127025212.3077-2-nramas@linux.microsoft.com>
Hi Lakshmi,
Janne Karhunen is defining an IMA workqueue in order to more
frequently update the on disk security xattrs. The Subject line on
this patch needs to be more explicit (eg. define workqueue for early
boot "key" measurements).
On Tue, 2019-11-26 at 18:52 -0800, Lakshmi Ramasubramanian wrote:
> Keys created or updated in the system before IMA is initialized
Keys created or updated before a custom policy is loaded are currently
not measured.
> should be queued up. And, keys (including any queued ones)
> should be processed when IMA initialization is completed.
>
> This patch defines functions to queue and dequeue keys for
> measurement. A flag namely ima_process_keys_for_measurement
> is used to check if the key should be queued or should be
> processed immediately.
>
> ima_policy_flag cannot be relied upon to make queuing decision
> because ima_policy_flag will be set to 0 when either IMA is
> not initialized or when the IMA policy itself is empty.
I'm not sure why you want to differentiate between IMA being
initialized vs. an empty policy. I would think you would want to know
when a custom policy has been loaded.
Until ima_update_policy() is called, "ima_rules" points to the
architecture specific and configured policy rules, which are
persistent, and the builtin policy rules. Once a custom policy is
loaded, "ima_rules" points to the architecture specific, configured,
and custom policy rules.
I would define a function that determines whether or not a custom
policy has been loaded.
(I still need to review adding/removing from the queue.)
>
> @@ -27,14 +154,14 @@
> * The payload data used to instantiate or update the key is measured.
> */
> void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> - const void *payload, size_t plen,
> + const void *payload, size_t payload_len,
> unsigned long flags, bool create)
This "hunk" and subsequent one seem to be just a variable name change.
It has nothing to do with queueing "key" measurements and shouldn't
be included in this patch.
Mimi
> {
> /* Only asymmetric keys are handled by this hook. */
> if (key->type != &key_type_asymmetric)
> return;
>
> - if (!payload || (plen == 0))
> + if (!payload || (payload_len == 0))
> return;
>
> /*
> @@ -52,7 +179,7 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> * if the IMA policy is configured to measure a key linked
> * to the given keyring.
> */
> - process_buffer_measurement(payload, plen,
> + process_buffer_measurement(payload, payload_len,
> keyring->description, KEY_CHECK, 0,
> keyring->description);
> }
next prev parent reply other threads:[~2019-11-27 21:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 2:52 [PATCH v0 0/2] IMA: Deferred measurement of keys Lakshmi Ramasubramanian
2019-11-27 2:52 ` [PATCH v0 1/2] IMA: Defined queue functions Lakshmi Ramasubramanian
2019-11-27 20:38 ` Mimi Zohar [this message]
2019-11-27 21:11 ` Lakshmi Ramasubramanian
2019-12-02 18:00 ` Mimi Zohar
2019-12-02 18:39 ` Lakshmi Ramasubramanian
2019-12-02 19:11 ` Mimi Zohar
2019-12-02 20:24 ` Lakshmi Ramasubramanian
2019-12-03 0:02 ` Mimi Zohar
2019-11-27 2:52 ` [PATCH v0 2/2] IMA: Call queue functions to measure keys Lakshmi Ramasubramanian
2019-12-03 0:02 ` Mimi Zohar
2019-12-03 16:09 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574887137.4793.346.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jamorris@linux.microsoft.com \
--cc=janne.karhunen@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).