From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 03/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specifi Date: Wed, 06 Nov 2019 19:01:09 +0000 [thread overview] Message-ID: <20191106190116.2578-4-nramas@linux.microsoft.com> (raw) In-Reply-To: <20191106190116.2578-1-nramas@linux.microsoft.com> IMA policy needs to support measuring only those keys linked to a specific set of keyrings. This patch defines a new IMA policy option namely "keyrings=" that can be used to specify a set of keyrings. If this option is specified in the policy for func=KEYRING_CHECK then only the keys linked to the keyrings given in "keyrings=" option are measured. If "keyrings=" option is not specified for func=KEYRING_CHECK then all keys are measured. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- Documentation/ABI/testing/ima_policy | 10 +++++++++- security/integrity/ima/ima_policy.c | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 341df49b5ad1..be2874fa3928 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -25,7 +25,7 @@ Description: lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [template=] [permit_directio] - [appraise_flag=] + [appraise_flag=] [keyrings=] base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] @@ -43,6 +43,9 @@ Description: appraise_flag:= [check_blacklist] Currently, blacklist check is only for files signed with appended signature. + keyrings:= list of keyrings + (eg, .builtin_trusted_keys|.ima). Only valid + when action is "measure" and func is KEYRING_CHECK. template:= name of a defined IMA template type (eg, ima-ng). Only valid when action is "measure". pcr:= decimal value @@ -119,3 +122,8 @@ Description: all keys: measure func=KEYRING_CHECK + + Example of measure rule using KEYRING_CHECK to only measure + keys added to .builtin_trusted_keys or .ima keyring: + + measure func=KEYRING_CHECK keyrings=.builtin_trusted_keys|.ima diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 4344b7354fc5..4d68ad8ed91c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -34,6 +34,7 @@ #define IMA_EUID 0x0080 #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 +#define IMA_KEYRINGS 0x0400 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -79,6 +80,7 @@ struct ima_rule_entry { int type; /* audit type */ } lsm[MAX_LSM_RULES]; char *fsname; + char *keyrings; /* Measure keys added to these keyrings */ struct ima_template_desc *template; }; -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 03/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings. Date: Wed, 6 Nov 2019 11:01:09 -0800 [thread overview] Message-ID: <20191106190116.2578-4-nramas@linux.microsoft.com> (raw) In-Reply-To: <20191106190116.2578-1-nramas@linux.microsoft.com> IMA policy needs to support measuring only those keys linked to a specific set of keyrings. This patch defines a new IMA policy option namely "keyrings=" that can be used to specify a set of keyrings. If this option is specified in the policy for func=KEYRING_CHECK then only the keys linked to the keyrings given in "keyrings=" option are measured. If "keyrings=" option is not specified for func=KEYRING_CHECK then all keys are measured. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> --- Documentation/ABI/testing/ima_policy | 10 +++++++++- security/integrity/ima/ima_policy.c | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 341df49b5ad1..be2874fa3928 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -25,7 +25,7 @@ Description: lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [template=] [permit_directio] - [appraise_flag=] + [appraise_flag=] [keyrings=] base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] @@ -43,6 +43,9 @@ Description: appraise_flag:= [check_blacklist] Currently, blacklist check is only for files signed with appended signature. + keyrings:= list of keyrings + (eg, .builtin_trusted_keys|.ima). Only valid + when action is "measure" and func is KEYRING_CHECK. template:= name of a defined IMA template type (eg, ima-ng). Only valid when action is "measure". pcr:= decimal value @@ -119,3 +122,8 @@ Description: all keys: measure func=KEYRING_CHECK + + Example of measure rule using KEYRING_CHECK to only measure + keys added to .builtin_trusted_keys or .ima keyring: + + measure func=KEYRING_CHECK keyrings=.builtin_trusted_keys|.ima diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 4344b7354fc5..4d68ad8ed91c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -34,6 +34,7 @@ #define IMA_EUID 0x0080 #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 +#define IMA_KEYRINGS 0x0400 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -79,6 +80,7 @@ struct ima_rule_entry { int type; /* audit type */ } lsm[MAX_LSM_RULES]; char *fsname; + char *keyrings; /* Measure keys added to these keyrings */ struct ima_template_desc *template; }; -- 2.17.1
next prev parent reply other threads:[~2019-11-06 19:01 UTC|newest] Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-06 19:01 [PATCH v4 0/10] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 01/10] IMA: Defined an IMA hook to measure keys on key create or update Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 22:43 ` Mimi Zohar 2019-11-06 22:43 ` Mimi Zohar 2019-11-07 0:21 ` Lakshmi Ramasubramanian 2019-11-07 0:21 ` Lakshmi Ramasubramanian 2019-11-07 3:40 ` Mimi Zohar 2019-11-07 3:40 ` Mimi Zohar 2019-11-07 18:42 ` Lakshmi Ramasubramanian 2019-11-07 18:42 ` Lakshmi Ramasubramanian 2019-11-07 20:53 ` Mimi Zohar 2019-11-07 20:53 ` Mimi Zohar 2019-11-07 21:12 ` Lakshmi Ramasubramanian 2019-11-07 21:12 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 02/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian [this message] 2019-11-06 19:01 ` [PATCH v4 03/10] IMA: Added keyrings= option in IMA policy to only measure keys added to the specified keyrings Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 04/10] IMA: Read keyrings= option from the IMA policy into ima_rule_entry Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 05/10] IMA: Updated IMA policy functions to return keyrings option read from the policy Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 06/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 06/10] IMA: Measure key if the IMA policy allows measurement for the keyring to which the key is linked to Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 07/10] IMA: Added a boolean flag to track IMA initialization status Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 08/10] IMA: Defined functions to queue and dequeue keys for measurement Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 22:44 ` Mimi Zohar 2019-11-06 22:44 ` Mimi Zohar 2019-11-06 23:52 ` Lakshmi Ramasubramanian 2019-11-06 23:52 ` Lakshmi Ramasubramanian 2019-11-07 2:20 ` Lakshmi Ramasubramanian 2019-11-07 2:20 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 09/10] IMA: Call queue and dequeue functions to measure keys Lakshmi Ramasubramanian 2019-11-06 19:01 ` Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 10/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key Lakshmi Ramasubramanian 2019-11-06 19:01 ` [PATCH v4 10/10] KEYS: Call the IMA hook to measure key when a new key is created or an existing key is updated Lakshmi Ramasubramanian
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191106190116.2578-4-nramas@linux.microsoft.com \ --to=nramas@linux.microsoft.com \ --cc=dhowells@redhat.com \ --cc=jamorris@linux.microsoft.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=matthewgarrett@google.com \ --cc=sashal@kernel.org \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.