Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

From: Lakshmi Ramasubramanian
Date: Wed Nov 27 2019 - 19:44:30 EST

Next message: Joel Stanley: "Re: [PATCH v4] ARM: dts: aspeed: Adding Facebook Yosemite V2 BMC"
Previous message: Stephen Rothwell: "Re: linux-next: manual merge of the char-misc tree with the keys tree"
In reply to: Mimi Zohar: "Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v9 3/6] IMA: Define an IMA hook to measure keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/27/19 10:52 AM, Mimi Zohar wrote:

Hi Mimi,

+static bool ima_match_keyring(struct ima_rule_entry *rule,
+ const char *keyring)
+{
+ /*
+ * "keyrings=" is specified in the policy in the format below:
+ * keyrings=.builtin_trusted_keys|.ima|.evm
+ *
+ * Each keyring name in the option is separated by a '|' and
+ * the last keyring name is null terminated.
+ *
+ * The given keyring is considered matched only if
+ * the whole keyring name matched a keyring name specified
+ * in the "keyrings=" option.
+ */
+ p = strstr(rule->keyrings, keyring);
+ if (p) {
+ /*
+ * Found a substring match. Check if the character
+ * at the end of the keyring name is | (keyring name
+ * separator) or is the terminating null character.
+ * If yes, we have a whole string match.
+ */
+ p += strlen(keyring);
+ if (*p == '|' || *p == '\0')
+ return true;
+ }
+

Using "while strsep()" would simplify this code, removing the need for
such a long comment.

Mimi

strsep() modifies the source string (replaces the delimiter with '\0' and also updates the source string pointer). I am not sure it can be used for our scenario. Please correct me if I am wrong.

Initial IMA policy:
-------------------
measure func=KEY_CHECK keyrings=.ima|.evm|.builtin_trusted_keys|.blacklist template=ima-buf

Policy after adding a key to .ima keyring:
------------------------------------------
measure func=KEY_CHECK keyrings=.evm|.builtin_trusted_keys|.blacklist template=ima-buf

Policy after adding a key to a keyring that is not listed in the policy:
------------------------------------------------------------------------
measure func=KEY_CHECK keyrings= template=ima-buf

********************************************************************************

Please see the description from the man page for strsep():

http://man7.org/linux/man-pages/man3/strsep.3.html

char *strsep(char **stringp, const char *delim);

This function finds the first token in the string *stringp, that is delimited by one of the bytes in the string delim. This token is terminated by overwriting the delimiter with a null byte ('\0'), and *stringp is updated to point past the token.

thanks,
-lakshmi

Next message: Joel Stanley: "Re: [PATCH v4] ARM: dts: aspeed: Adding Facebook Yosemite V2 BMC"
Previous message: Stephen Rothwell: "Re: linux-next: manual merge of the char-misc tree with the keys tree"
In reply to: Mimi Zohar: "Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys"
Next in thread: Lakshmi Ramasubramanian: "[PATCH v9 3/6] IMA: Define an IMA hook to measure keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]