From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
zohar@linux.ibm.com, dhowells@redhat.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
sashal@kernel.org, jamorris@linux.microsoft.com
Cc: msft-linux-kernel@linux.microsoft.com, prsriva@linux.microsoft.com
Subject: Re: [PATCH v0] KEYS: Security LSM Hook for key_create_or_update
Date: Fri, 18 Oct 2019 13:38:12 -0700 [thread overview]
Message-ID: <48a4db30-853b-ef6b-9d35-77ae0450b65d@linux.microsoft.com> (raw)
In-Reply-To: <e5ffe76e-ff9f-7542-2ff7-3ede4f911c2a@schaufler-ca.com>
On 10/18/19 1:25 PM, Casey Schaufler wrote:
>> Problem Statement:
>> key_create_or_update function currently does not have
>> a security LSM hook. The hook is needed to allow security
>> subsystems to use key create or update information.
>
> What security module(s) do you expect to use this?
SELinux is one that I can think of - it has hooks for key_alloc,
key_free, etc. But does not have one for key_create_or_update.
> IMA is not a Linux Security Module.
Agree. But ima utilizes LSM to hook into system operations (such as
read_file given below).
int security_kernel_post_read_file(struct file *file, char *buf,
loff_t size,
enum kernel_read_file_id id)
{
int ret;
ret = call_int_hook(kernel_post_read_file, 0, file,
buf, size, id);
if (ret)
return ret;
return ima_post_read_file(file, buf, size, id);
}
I am currently working on an ima function to measure keys. The change
set I have submitted today is in preparation for that.
> You don't have a security module that provides this hook.
> We don't accept interfaces without users.
Like I have mentioned above, that change in ima will be submitted for
review shortly.
If you have suggestions for a better way to hook into key create\update
that ima can use to measure keys, I'll be happy to investigate that.
thanks,
-lakshmi
prev parent reply other threads:[~2019-10-18 20:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-18 19:53 [PATCH v0] KEYS: Security LSM Hook for key_create_or_update Lakshmi Ramasubramanian
2019-10-18 20:25 ` Casey Schaufler
2019-10-18 20:38 ` Lakshmi Ramasubramanian [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48a4db30-853b-ef6b-9d35-77ae0450b65d@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=msft-linux-kernel@linux.microsoft.com \
--cc=prsriva@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox