lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 12 Nov 2019 12:58:29 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        dhowells@...hat.com, matthewgarrett@...gle.com, sashal@...nel.org,
        jamorris@...ux.microsoft.com, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v5 02/10] IMA: Added keyrings= option in IMA policy to
 only measure keys added to the specified keyrings.

On Tue, 2019-11-12 at 09:43 -0800, Lakshmi Ramasubramanian wrote:
> On 11/12/2019 9:05 AM, Mimi Zohar wrote:
> 
> > The C maximum line length is 80 characters.  The subject line is even
> > less than that (~50).  The Subject line here could be "ima: add
> > support to limit measuring keys".
> I'll update the subject line for the patches - limit to max 50 chars.
> 
> > 
> > On Mon, 2019-11-11 at 11:32 -0800, Lakshmi Ramasubramanian wrote:
> >> IMA policy needs to support measuring only those keys linked to
> >> a specific set of keyrings.
> > 
> > Patch descriptions should be written in the imperative.  For example,
> > "Limit measuring keys to those keys being loaded onto a specific
> > keyring."
> Will update.
> 
> > 
> >>
> >> This patch defines a new IMA policy option namely "keyrings=" that
> >> can be used to specify a set of keyrings. If this option is specified
> >> in the policy for func=KEYRING_CHECK then only the keys linked to
> >> the keyrings given in "keyrings=" option are measured.
> > 
> > This description does not seem to match the code, which for some
> > reason isn't included in this patch, nor in 3/10.  Please
> > combine/squash patches 2 & 3.  Missing from the combined patch is the
> > keyring matching code in ima_match_rules().
> 
> This patch defines "keyrings=" option in the IMA policy and adds the 
> related field in ima_rule_entry struct.
> 
> The code for updating the new field in ima_rule_entry is in patch #4
> [PATCH v5 04/10] IMA: Updated IMA policy functions to return keyrings 
> option read from the policy

That's the problem.  The keyrings doesn't need to be returned, but
processed in ima_match_rules().

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ