Re: [PATCH v4 2/6] IMA: conditionally allow empty rule data

[PATCH v4 0/6] IMA: Infrastructure for measurement of critical kernel data · Tushar Sugandhi <hidden> · 2020-09-23
[PATCH v4 2/6] IMA: conditionally allow empty rule data · Tushar Sugandhi <hidden> · 2020-09-23
Re: [PATCH v4 2/6] IMA: conditionally allow empty rule data · Mimi Zohar <zohar@linux.ibm.com> · 2020-10-22
Re: [PATCH v4 2/6] IMA: conditionally allow empty rule data · Tushar Sugandhi <hidden> · 2020-10-23
[PATCH v4 1/6] IMA: generalize keyring specific measurement constructs · Tushar Sugandhi <hidden> · 2020-09-23
Re: [PATCH v4 1/6] IMA: generalize keyring specific measurement constructs · Mimi Zohar <zohar@linux.ibm.com> · 2020-10-22
Re: [PATCH v4 1/6] IMA: generalize keyring specific measurement constructs · Tushar Sugandhi <hidden> · 2020-10-23
[PATCH v4 5/6] IMA: add hook to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-09-23
Re: [PATCH v4 5/6] IMA: add hook to measure critical data from kernel components · Mimi Zohar <zohar@linux.ibm.com> · 2020-10-22
Re: [PATCH v4 5/6] IMA: add hook to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-10-23
[PATCH v4 4/6] IMA: add policy to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-09-23
Re: [PATCH v4 4/6] IMA: add policy to measure critical data from kernel components · Mimi Zohar <zohar@linux.ibm.com> · 2020-10-22
Re: [PATCH v4 4/6] IMA: add policy to measure critical data from kernel components · Tushar Sugandhi <hidden> · 2020-10-23
[PATCH v4 6/6] IMA: validate supported kernel data sources before measurement · Tushar Sugandhi <hidden> · 2020-09-23
[PATCH v4 3/6] IMA: update process_buffer_measurement to measure buffer hash · Tushar Sugandhi <hidden> · 2020-09-23
Re: [PATCH v4 0/6] IMA: Infrastructure for measurement of critical kernel data · Mimi Zohar <zohar@linux.ibm.com> · 2020-10-25
Re: [PATCH v4 0/6] IMA: Infrastructure for measurement of critical kernel data · Tushar Sugandhi <hidden> · 2020-10-27

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-10-22 20:39:15
Also in: dm-devel, linux-integrity, lkml, selinux

Hi Tushar,

On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:

ima_match_rule_data() permits the func to pass empty func_data.
For instance, for the following func, the func_data keyrings= is
optional.
    measure func=KEY_CHECK keyrings=.ima

But a new func in future may want to constrain the func_data to
be non-empty.  ima_match_rule_data() should support this constraint
and it shouldn't be hard-coded in ima_match_rule_data().

Update ima_match_rule_data() to conditionally allow empty func_data
for the func that needs it.

Signed-off-by: Tushar Sugandhi <redacted>

Policy rules may constrain what is measured, but that decision should
be left to the system owner or admin.

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help