Re: [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings option read from the policy
From: Mimi Zohar
Date: Tue Nov 12 2019 - 12:05:27 EST
On Mon, 2019-11-11 at 11:32 -0800, Lakshmi Ramasubramanian wrote:
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 1aee3c8b9cf6..d1889eee9287 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -481,6 +481,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
> * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> * @pcr: set the pcr to extend
> * @template_desc: the template that should be used for this rule
> + * @keyrings: set the keyrings for this rule, if specified
> *
> * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
> * conditions.
> @@ -491,7 +492,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
> */
> int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
> enum ima_hooks func, int mask, int flags, int *pcr,
> - struct ima_template_desc **template_desc)
> + struct ima_template_desc **template_desc,
> + char **keyrings)
> {
> struct ima_rule_entry *entry;
> int action = 0, actmask = flags | (flags << 1);
> @@ -527,6 +529,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
> if ((pcr) && (entry->flags & IMA_PCR))
> *pcr = entry->pcr;
>
> + if ((keyrings) && (entry->flags & IMA_KEYRINGS))
> + *keyrings = entry->keyrings;
ima_match_rules() determines whether the rule is in policy or not. It
returns true on rule match, false on failure. ÂThere's no need to
return the list of keyrings.
MimiÂ
> +
> if (template_desc && entry->template)
> *template_desc = entry->template;
>