Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

[Mimi Zohar]

On Tue, 2019-12-03 at 11:45 -0800, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
> 
> On 12/3/2019 4:25 AM, Mimi Zohar wrote:
> 
> > 
> > A keyring can be created by any user with any keyring name, other than
> >  Âones dot prefixed, which are limited to the trusted builtin keyrings.
> >  ÂWith a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> > example, keys loaded onto any keyring named "foo" will be measured.
> >  ÂFor files, the IMA policy may be constrained to a particular uid/gid.
> >  ÂAn additional method of identifying or constraining keyring names
> > needs to be defined.
> > 
> > Mimi
> > 
> 
> Are you expecting a functionality like the following?
> 
>   => Measure keys added to keyring "foo", but exclude certain keys 
> (based on some key identifier)
> 
> Sample policy might look like below:
> 
> action=MEASURE func=KEY_CHECK keyrings=foo|bar
> action=DONT_MEASURE key_magic=blah
> 
> So a key with key_magic "blah" will not be measured even though it is 
> added to the keyring "foo". But any other key added to "foo" will be 
> measured.
> 
> What would the constraining field in the key may be - Can it be SHA256 
> hash of the public key? Or, some other unique identifier?
> 
> Could you please clarify?

Suppose both root and uid 1000 define a keyring named "foo". ÂThe
current "keyrings=foo" will measure all keys added to either keyring
named "foo". ÂThere needs to be a way to limit measuring keys to a
particular keyring named "foo".

Mimi