• Lakshmi Ramasubramanian's avatar
    IMA: Add support to limit measuring keys · e9085e0a
    Lakshmi Ramasubramanian authored
    Limit measuring keys to those keys being loaded onto a given set of
    keyrings only and when the user id (uid) matches if uid is specified
    in the policy.
    
    This patch defines a new IMA policy option namely "keyrings=" that
    can be used to specify a set of keyrings. If this option is specified
    in the policy for "measure func=KEY_CHECK" then only the keys
    loaded onto a keyring given in the "keyrings=" option are measured.
    
    If uid is specified in the policy then the key is measured only if
    the current user id matches the one specified in the policy.
    
    Added a new parameter namely "keyring" (name of the keyring) to
    process_buffer_measurement(). The keyring name is passed to
    ima_get_action() to determine the required action.
    ima_match_rules() is updated to check keyring in the policy, if
    specified, for KEY_CHECK function.
    Signed-off-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    e9085e0a
ima.h 11.8 KB