| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2d20ce36-e24e-e238-4a82-286db9eeab97@linux.microsoft.com>
Date: Tue, 3 Dec 2019 11:45:31 -0800
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, linux-integrity@...r.kernel.org
Cc: eric.snowberg@...cle.com, dhowells@...hat.com,
matthewgarrett@...gle.com, sashal@...nel.org,
jamorris@...ux.microsoft.com, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org
Subject: Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys
Hi Mimi,
On 12/3/2019 4:25 AM, Mimi Zohar wrote:
>
> A keyring can be created by any user with any keyring name, other than
> ones dot prefixed, which are limited to the trusted builtin keyrings.
> With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> example, keys loaded onto any keyring named "foo" will be measured.
> For files, the IMA policy may be constrained to a particular uid/gid.
> An additional method of identifying or constraining keyring names
> needs to be defined.
>
> Mimi
>
Are you expecting a functionality like the following?
=> Measure keys added to keyring "foo", but exclude certain keys
(based on some key identifier)
Sample policy might look like below:
action=MEASURE func=KEY_CHECK keyrings=foo|bar
action=DONT_MEASURE key_magic=blah
So a key with key_magic "blah" will not be measured even though it is
added to the keyring "foo". But any other key added to "foo" will be
measured.
What would the constraining field in the key may be - Can it be SHA256
hash of the public key? Or, some other unique identifier?
Could you please clarify?
thanks,
-lakshmi
Powered by blists - more mailing lists