diff options
author | Lakshmi Ramasubramanian <nramas@linux.microsoft.com> | 2019-12-11 19:47:06 +0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-12-12 16:53:50 +0300 |
commit | e9085e0ad38a333012629d815c203155d61ebe7e (patch) | |
tree | 8b898569b294050174e83abe19dd2e51d0f7d12d /security/integrity/ima/ima_asymmetric_keys.c | |
parent | cb1aa3823c9280f2bb8218cdb5cb05721e0376b1 (diff) | |
download | linux-e9085e0ad38a333012629d815c203155d61ebe7e.tar.xz |
IMA: Add support to limit measuring keys
Limit measuring keys to those keys being loaded onto a given set of
keyrings only and when the user id (uid) matches if uid is specified
in the policy.
This patch defines a new IMA policy option namely "keyrings=" that
can be used to specify a set of keyrings. If this option is specified
in the policy for "measure func=KEY_CHECK" then only the keys
loaded onto a keyring given in the "keyrings=" option are measured.
If uid is specified in the policy then the key is measured only if
the current user id matches the one specified in the policy.
Added a new parameter namely "keyring" (name of the keyring) to
process_buffer_measurement(). The keyring name is passed to
ima_get_action() to determine the required action.
ima_match_rules() is updated to check keyring in the policy, if
specified, for KEY_CHECK function.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_asymmetric_keys.c')
-rw-r--r-- | security/integrity/ima/ima_asymmetric_keys.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index 994d89d58af9..fea2e7dd3b09 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -46,7 +46,13 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, * parameter to process_buffer_measurement() and is set * in the "eventname" field in ima_event_data for * the key measurement IMA event. + * + * The name of the keyring is also passed in the "keyring" + * parameter to process_buffer_measurement() to check + * if the IMA policy is configured to measure a key linked + * to the given keyring. */ process_buffer_measurement(payload, payload_len, - keyring->description, KEY_CHECK, 0); + keyring->description, KEY_CHECK, 0, + keyring->description); } |