On Tue, 2019-06-04 at 16:03 +0200, Roberto Sassu wrote: > On 6/4/2019 3:51 AM, Mimi Zohar wrote: > > On Mon, 2019-06-03 at 13:13 -0700, Matthew Garrett wrote: > >> Admins may wish to log different measurements using different IMA > >> templates. Add support for overriding the default template on a per-rule > >> basis. > >> > >> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx> > >> --- > >> > >> Updated based on review feedback, verified that I can generate an event > >> log that contains multiple different templates. > >> > >> Documentation/ABI/testing/ima_policy | 6 ++++-- > >> security/integrity/ima/ima.h | 13 +++++++++---- > >> security/integrity/ima/ima_api.c | 24 ++++++++++++++++------- > >> security/integrity/ima/ima_appraise.c | 2 +- > >> security/integrity/ima/ima_init.c | 2 +- > >> security/integrity/ima/ima_main.c | 9 +++++---- > >> security/integrity/ima/ima_policy.c | 28 +++++++++++++++++++++++++-- > >> security/integrity/ima/ima_template.c | 10 ++++++++-- > >> 8 files changed, 71 insertions(+), 23 deletions(-) > >> > >> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > >> index 74c6702de74e..4ded0668a22d 100644 > >> --- a/Documentation/ABI/testing/ima_policy > >> +++ b/Documentation/ABI/testing/ima_policy > >> @@ -24,8 +24,7 @@ Description: > >> [euid=] [fowner=] [fsname=]] > >> lsm: [[subj_user=] [subj_role=] [subj_type=] > >> [obj_user=] [obj_role=] [obj_type=]] > >> - option: [[appraise_type=]] [permit_directio] > >> - > >> + option: [[appraise_type=]] [template=] [permit_directio] > >> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] > >> [FIRMWARE_CHECK] > >> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] > >> @@ -38,6 +37,9 @@ Description: > >> fowner:= decimal value > >> lsm: are LSM specific > >> option: appraise_type:= [imasig] > >> + template:= name or format of a defined IMA template > >> + type (eg,ima-ng or d-ng|n-ng). Only valid when action > >> + is "measure". > > > > This patch only supports specifying the template name, not the > > template format description. Please remove "d-ng|n-ng". > > The patch is correct. lookup_template_desc() also considers the format. Specifying the template format works if it is defined in builtin_templates[], but seems to fail if it isn't. Mimi
