From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=oiG3=UD=vger.kernel.org=linux-integrity-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 91E0DC282CE
	for <linux-integrity@archiver.kernel.org>; Tue,  4 Jun 2019 14:39:57 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 7098C212F5
	for <linux-integrity@archiver.kernel.org>; Tue,  4 Jun 2019 14:39:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727413AbfFDOj5 (ORCPT
        <rfc822;linux-integrity@archiver.kernel.org>);
        Tue, 4 Jun 2019 10:39:57 -0400
Received: from lhrrgout.huawei.com ([185.176.76.210]:32983 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727182AbfFDOj5 (ORCPT <rfc822;linux-integrity@vger.kernel.org>);
        Tue, 4 Jun 2019 10:39:57 -0400
Received: from LHREML711-CAH.china.huawei.com (unknown [172.18.7.108])
        by Forcepoint Email with ESMTP id 904CE7977040EE1CEFA7;
        Tue,  4 Jun 2019 15:39:55 +0100 (IST)
Received: from [10.220.96.108] (10.220.96.108) by smtpsuk.huawei.com
 (10.201.108.34) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 4 Jun
 2019 15:39:52 +0100
Subject: Re: [PATCH V3] IMA: Allow profiles to define the desired IMA template
To:     Mimi Zohar <zohar@linux.ibm.com>,
        Matthew Garrett <matthewgarrett@google.com>,
        <linux-integrity@vger.kernel.org>
CC:     <zohar@linux.vnet.ibm.com>, <prsriva02@gmail.com>,
        <bauerman@linux.ibm.com>, Matthew Garrett <mjg59@google.com>
References: <20190603201322.7443-1-matthewgarrett@google.com>
 <1559613113.3956.9.camel@linux.ibm.com>
 <18481910-ea3b-3ca7-ded2-46b094bbe959@huawei.com>
 <1559658772.4076.3.camel@linux.ibm.com>
From:   Roberto Sassu <roberto.sassu@huawei.com>
Message-ID: <3b452fea-f8e6-ebd3-824d-f7b8c5ceae58@huawei.com>
Date:   Tue, 4 Jun 2019 16:40:01 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <1559658772.4076.3.camel@linux.ibm.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.220.96.108]
X-CFilter-Loop: Reflected
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

On 6/4/2019 4:32 PM, Mimi Zohar wrote:
> On Tue, 2019-06-04 at 16:03 +0200, Roberto Sassu wrote:
>> On 6/4/2019 3:51 AM, Mimi Zohar wrote:
>>> On Mon, 2019-06-03 at 13:13 -0700, Matthew Garrett wrote:
>>>> Admins may wish to log different measurements using different IMA
>>>> templates. Add support for overriding the default template on a per-rule
>>>> basis.
>>>>
>>>> Signed-off-by: Matthew Garrett <mjg59@google.com>
>>>> ---
>>>>
>>>> Updated based on review feedback, verified that I can generate an event
>>>> log that contains multiple different templates.
>>>>
>>>>    Documentation/ABI/testing/ima_policy  |  6 ++++--
>>>>    security/integrity/ima/ima.h          | 13 +++++++++----
>>>>    security/integrity/ima/ima_api.c      | 24 ++++++++++++++++-------
>>>>    security/integrity/ima/ima_appraise.c |  2 +-
>>>>    security/integrity/ima/ima_init.c     |  2 +-
>>>>    security/integrity/ima/ima_main.c     |  9 +++++----
>>>>    security/integrity/ima/ima_policy.c   | 28 +++++++++++++++++++++++++--
>>>>    security/integrity/ima/ima_template.c | 10 ++++++++--
>>>>    8 files changed, 71 insertions(+), 23 deletions(-)
>>>>
>>>> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
>>>> index 74c6702de74e..4ded0668a22d 100644
>>>> --- a/Documentation/ABI/testing/ima_policy
>>>> +++ b/Documentation/ABI/testing/ima_policy
>>>> @@ -24,8 +24,7 @@ Description:
>>>>    				[euid=] [fowner=] [fsname=]]
>>>>    			lsm:	[[subj_user=] [subj_role=] [subj_type=]
>>>>    				 [obj_user=] [obj_role=] [obj_type=]]
>>>> -			option:	[[appraise_type=]] [permit_directio]
>>>> -
>>>> +			option:	[[appraise_type=]] [template=] [permit_directio]
>>>>    		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
>>>>    				[FIRMWARE_CHECK]
>>>>    				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
>>>> @@ -38,6 +37,9 @@ Description:
>>>>    			fowner:= decimal value
>>>>    		lsm:  	are LSM specific
>>>>    		option:	appraise_type:= [imasig]
>>>> +			template:= name or format of a defined IMA template
>>>> +			type (eg,ima-ng or d-ng|n-ng). Only valid when action
>>>> +			is "measure".
>>>
>>> This patch only supports specifying the template name, not the
>>> template format description.  Please remove "d-ng|n-ng".
>>
>> The patch is correct. lookup_template_desc() also considers the format.
> 
> Specifying the template format works if it is defined in
> builtin_templates[], but seems to fail if it isn't.

Yes, the original patch set supports the definition of new templates.
That part is not included in this patch.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI