Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()
From: Mimi Zohar
Date: Thu Jun 25 2020 - 16:46:14 EST
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 514baf24d6a5..ae2ec2a9cdb9 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> > case KEXEC_KERNEL_CHECK:
> > case KEXEC_INITRAMFS_CHECK:
> > case POLICY_CHECK:
> > + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
> > + IMA_UID | IMA_FOWNER | IMA_FSUUID |
> > + IMA_INMASK | IMA_EUID | IMA_PCR |
> > + IMA_FSNAME))
>
> I accidentally left these out:
>
> (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)
>
> I'll add them in v2.
Thanks, I noticed when skimming the patches the first time around.
Mimi