Re: [PATCH v9 1/8] IMA: generalize keyring specific measurement constructs

[Tushar Sugandhi]

Hello Mimi,
Sorry for the late response. I was on vacation last week.

On 2020-12-24 5:06 a.m., Mimi Zohar wrote:
> On Sat, 2020-12-12 at 10:02 -0800, Tushar Sugandhi wrote:
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 68956e884403..e76ef4bfd0f4 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size,
> >    * @eventname: event name to be used for the buffer entry.
> >    * @func: IMA hook
> >    * @pcr: pcr to extend the measurement
> > - * @keyring: keyring name to determine the action to be performed
> > + * @func_data: private data specific to @func, can be NULL.
>
> This can be simplified to "func specific data, may be NULL".   Please
> update in all places.
Ok, will do.
> >    *
> >    * Based on policy, the buffer is measured into the ima log.
> >    */
> >   void process_buffer_measurement(struct inode *inode, const void *buf, int size,
> >   				const char *eventname, enum ima_hooks func,
> > -				int pcr, const char *keyring)
> > +				int pcr, const char *func_data)
> >   {
> >   	int ret = 0;
> >   	const char *audit_cause = "ENOMEM";
> > @@ -831,7 +831,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
> >   	if (func) {
> >   		security_task_getsecid(current, &secid);
> >   		action = ima_get_action(inode, current_cred(), secid, 0, func,
> > -					&pcr, &template, keyring);
> > +					&pcr, &template, func_data);
> >   		if (!(action & IMA_MEASURE))
> >   			return;
> >   	}
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 823a0c1379cb..a09d1a41a290 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -453,30 +453,41 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> >   }
> >   
> >   /**
> > - * ima_match_keyring - determine whether the keyring matches the measure rule
> > - * @rule: a pointer to a rule
> > - * @keyring: name of the keyring to match against the measure rule
> > + * ima_match_rule_data - determine whether the given func_data matches
> > + *			 the measure rule data
>
> After the function_name is a brief description of the function, which
> should not span multiple lines.  Refer to Documentation/doc-
> guide/kernel-doc.rst for details.
>
> Please trim the function description to:
> determine whether func_data matches the policy rule
Thanks, will do.

> > + * @rule: IMA policy rule
>
> This patch should be limited to renaming "keyring" to "func_data".   It
> shouldn't make other changes, even simple ones like this.
Agreed. I will revert the rule description to the old one.
> > + * @func_data: data to match against the measure rule data
> >    * @cred: a pointer to a credentials structure for user validation
> >    *
> > - * Returns true if keyring matches one in the rule, false otherwise.
> > + * Returns true if func_data matches one in the rule, false otherwise.
> >    */
> > -static bool ima_match_keyring(struct ima_rule_entry *rule,
> > -			      const char *keyring, const struct cred *cred)
> > +static bool ima_match_rule_data(struct ima_rule_entry *rule,
> > +				const char *func_data,
> > +				const struct cred *cred)
> >   {
> > +	const struct ima_rule_opt_list *opt_list = NULL;
> >   	bool matched = false;
> >   	size_t i;
> >   
> >   	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> >   		return false;
> >   
> > -	if (!rule->keyrings)
> > -		return true;
> > +	switch (rule->func) {
> > +	case KEY_CHECK:
> > +		if (!rule->keyrings)
> > +			return true;
> > +
> > +		opt_list = rule->keyrings;
> > +		break;
> > +	default:
> > +		return false;
> > +	}
> >   
> > -	if (!keyring)
> > +	if (!func_data)
> >   		return false;
> >   
> > -	for (i = 0; i < rule->keyrings->count; i++) {
> > -		if (!strcmp(rule->keyrings->items[i], keyring)) {
> > +	for (i = 0; i < opt_list->count; i++) {
> > +		if (!strcmp(opt_list->items[i], func_data)) {
> >   			matched = true;
> >   			break;
> >   		}
> > @@ -493,20 +504,20 @@ static bool ima_match_keyring(struct ima_rule_entry *rule,
> >    * @secid: the secid of the task to be validated
> >    * @func: LIM hook identifier
> >    * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> > - * @keyring: keyring name to check in policy for KEY_CHECK func
> > + * @func_data: private data specific to @func, can be NULL.
>
> Update as previously suggested.
Yes.
> >    *
> >    * Returns true on rule match, false on failure.
> >    */
> >   static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> >   			    const struct cred *cred, u32 secid,
> >   			    enum ima_hooks func, int mask,
> > -			    const char *keyring)
> > +			    const char *func_data)
> >   {
> >   	int i;
> >   
> >   	if (func == KEY_CHECK) {
> >   		return (rule->flags & IMA_FUNC) && (rule->func == func) &&
> > -		       ima_match_keyring(rule, keyring, cred);
> > +			ima_match_rule_data(rule, func_data, cred);
> >   	}
> >   	if ((rule->flags & IMA_FUNC) &&
> >   	    (rule->func != func && func != POST_SETATTR))
> > @@ -610,8 +621,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
> >    * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> >    * @pcr: set the pcr to extend
> >    * @template_desc: the template that should be used for this rule
> > - * @keyring: the keyring name, if given, to be used to check in the policy.
> > - *           keyring can be NULL if func is anything other than KEY_CHECK.
> > + * @func_data: private data specific to @func, can be NULL.
>
> And again here.
Yes.
> thanks,
>
> Mimi

Thanks,
Tushar