diff options
| author | Lakshmi Ramasubramanian <nramas@linux.microsoft.com> | 2019-12-11 08:47:06 -0800 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-12-12 08:53:50 -0500 |
| commit | e9085e0ad38a333012629d815c203155d61ebe7e (patch) | |
| tree | 8b898569b294050174e83abe19dd2e51d0f7d12d /security/keys | |
| parent | cb1aa3823c9280f2bb8218cdb5cb05721e0376b1 (diff) | |
| download | linux-e9085e0ad38a333012629d815c203155d61ebe7e.tar.gz linux-e9085e0ad38a333012629d815c203155d61ebe7e.tar.bz2 linux-e9085e0ad38a333012629d815c203155d61ebe7e.zip | |
IMA: Add support to limit measuring keys
Limit measuring keys to those keys being loaded onto a given set of
keyrings only and when the user id (uid) matches if uid is specified
in the policy.
This patch defines a new IMA policy option namely "keyrings=" that
can be used to specify a set of keyrings. If this option is specified
in the policy for "measure func=KEY_CHECK" then only the keys
loaded onto a keyring given in the "keyrings=" option are measured.
If uid is specified in the policy then the key is measured only if
the current user id matches the one specified in the policy.
Added a new parameter namely "keyring" (name of the keyring) to
process_buffer_measurement(). The keyring name is passed to
ima_get_action() to determine the required action.
ima_match_rules() is updated to check keyring in the policy, if
specified, for KEY_CHECK function.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/keys')
0 files changed, 0 insertions, 0 deletions