Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

From: Lakshmi Ramasubramanian
Date: Tue Dec 03 2019 - 14:45:15 EST


Hi Mimi,

On 12/3/2019 4:25 AM, Mimi Zohar wrote:


A keyring can be created by any user with any keyring name, other than
Âones dot prefixed, which are limited to the trusted builtin keyrings.
ÂWith a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
example, keys loaded onto any keyring named "foo" will be measured.
ÂFor files, the IMA policy may be constrained to a particular uid/gid.
ÂAn additional method of identifying or constraining keyring names
needs to be defined.

Mimi


Are you expecting a functionality like the following?

=> Measure keys added to keyring "foo", but exclude certain keys (based on some key identifier)

Sample policy might look like below:

action=MEASURE func=KEY_CHECK keyrings=foo|bar
action=DONT_MEASURE key_magic=blah

So a key with key_magic "blah" will not be measured even though it is added to the keyring "foo". But any other key added to "foo" will be measured.

What would the constraining field in the key may be - Can it be SHA256 hash of the public key? Or, some other unique identifier?

Could you please clarify?

thanks,
-lakshmi