[PATCH v2 4/4] KEYS: Enabled ima policy to measure keys added to... | linux-security-module

[PATCH v2 0/4] KEYS: measure keys when they are created or updated · Lakshmi Ramasubramanian <hidden> · 2019-10-23
[PATCH v2 4/4] KEYS: Enabled ima policy to measure keys added to builtin_trusted_keys keyring · Lakshmi Ramasubramanian <hidden> · 2019-10-23
[PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when ima is initialized · Lakshmi Ramasubramanian <hidden> · 2019-10-23
[PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring · Lakshmi Ramasubramanian <hidden> · 2019-10-23
Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring · Mimi Zohar <zohar@linux.ibm.com> · 2019-10-27
Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring · Lakshmi Ramasubramanian <hidden> · 2019-10-28
Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring · Mimi Zohar <zohar@linux.ibm.com> · 2019-10-28
Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring · Lakshmi Ramasubramanian <hidden> · 2019-10-28
[PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Lakshmi Ramasubramanian <hidden> · 2019-10-23
Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Mimi Zohar <zohar@linux.ibm.com> · 2019-10-25
Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Lakshmi Ramasubramanian <hidden> · 2019-10-25
Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Lakshmi Ramasubramanian <hidden> · 2019-10-25
Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Mimi Zohar <zohar@linux.ibm.com> · 2019-10-27
Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update · Lakshmi Ramasubramanian <hidden> · 2019-10-28

STALE2419d

Revisions (11)

2019-10-23 v1 [diff vs current]
2019-10-23 v2 current
2019-10-31 v3 [diff vs current]
2019-11-06 v4 [diff vs current]
2019-11-11 v5 [diff vs current]
2019-11-14 v7 [diff vs current]
2019-11-18 v8 [diff vs current]
2019-11-27 v9 [diff vs current]
2019-12-04 v10 [diff vs current]
2019-12-11 v11 [diff vs current]
2020-01-07 v1 [diff vs current]

[PATCH v2 4/4] KEYS: Enabled ima policy to measure keys added to builtin_trusted_keys keyring

From: Lakshmi Ramasubramanian <hidden>
Date: 2019-10-23 23:40:06
Also in: keyrings, linux-integrity, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Updated ima policy handler to check if the ima policy enables
measurement of keys added to the builtin_trusted_keys keyring.

With this patch measurement of keys added to the builtin_trusted_keys
keyring is enabled end-to-end.

Signed-off-by: Lakshmi Ramasubramanian <redacted>
---
 security/integrity/ima/ima_policy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 6df7f641ff66..944636076152 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -370,7 +370,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 {
 	int i;
 
-	if (func == KEXEC_CMDLINE) {
+	if ((func == KEXEC_CMDLINE) || (func == BUILTIN_TRUSTED_KEYS)) {
 		if ((rule->flags & IMA_FUNC) && (rule->func == func))
 			return true;
 		return false;

@@ -959,6 +959,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 				entry->func = POLICY_CHECK;
 			else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
 				entry->func = KEXEC_CMDLINE;
+			else if (strcmp(args[0].from,
+					"BUILTIN_TRUSTED_KEYS") == 0)
+				entry->func = BUILTIN_TRUSTED_KEYS;
 			else
 				result = -EINVAL;
 			if (!result)

-- 
2.17.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help