| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1575391661.5241.47.camel@linux.ibm.com>
Date: Tue, 03 Dec 2019 11:47:41 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
linux-integrity@...r.kernel.org
Cc: eric.snowberg@...cle.com, dhowells@...hat.com,
matthewgarrett@...gle.com, sashal@...nel.org,
jamorris@...ux.microsoft.com, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org
Subject: Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys
On Tue, 2019-12-03 at 08:13 -0800, Lakshmi Ramasubramanian wrote:
> On 12/3/2019 4:25 AM, Mimi Zohar wrote:
>
> Hi Mimi,
>
> > Hi Lakshmi,
> >
> > A keyring can be created by any user with any keyring name, other than
> > ones dot prefixed, which are limited to the trusted builtin keyrings.
> > With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> > example, keys loaded onto any keyring named "foo" will be measured.
> > For files, the IMA policy may be constrained to a particular uid/gid.
> > An additional method of identifying or constraining keyring names
> > needs to be defined.
> >
>
> I agree - this is a good idea.
>
> Do you think this can be added as a separate patch set - enhancement to
> the current one, or should this be addressed in the current set?
>
> I was just about to send an update today that addresses your latest
> comments. Will hold it if you think the above change should be included
> now. Please let me know.
I'm hoping that it won't be all that difficult to implement and could
be included in this patch set as an additional patch.
Mimi
Powered by blists - more mailing lists