Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

From: Mimi Zohar
Date: Tue Dec 03 2019 - 15:07:10 EST


On Tue, 2019-12-03 at 11:45 -0800, Lakshmi Ramasubramanian wrote:
> Hi Mimi,
>
> On 12/3/2019 4:25 AM, Mimi Zohar wrote:
>
> >
> > A keyring can be created by any user with any keyring name, other than
> > Âones dot prefixed, which are limited to the trusted builtin keyrings.
> > ÂWith a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> > example, keys loaded onto any keyring named "foo" will be measured.
> > ÂFor files, the IMA policy may be constrained to a particular uid/gid.
> > ÂAn additional method of identifying or constraining keyring names
> > needs to be defined.
> >
> > Mimi
> >
>
> Are you expecting a functionality like the following?
>
> => Measure keys added to keyring "foo", but exclude certain keys
> (based on some key identifier)
>
> Sample policy might look like below:
>
> action=MEASURE func=KEY_CHECK keyrings=foo|bar
> action=DONT_MEASURE key_magic=blah
>
> So a key with key_magic "blah" will not be measured even though it is
> added to the keyring "foo". But any other key added to "foo" will be
> measured.
>
> What would the constraining field in the key may be - Can it be SHA256
> hash of the public key? Or, some other unique identifier?
>
> Could you please clarify?

Suppose both root and uid 1000 define a keyring named "foo". ÂThe
current "keyrings=foo" will measure all keys added to either keyring
named "foo". ÂThere needs to be a way to limit measuring keys to a
particular keyring named "foo".

Mimi