On 10/18/19 1:25 PM, Casey Schaufler wrote:
Problem Statement:
key_create_or_update function currently does not have
a security LSM hook. The hook is needed to allow security
subsystems to use key create or update information.
What security module(s) do you expect to use this?
SELinux is one that I can think of - it has hooks for key_alloc,
key_free, etc. But does not have one for key_create_or_update.
IMA is not a Linux Security Module.
Agree. But ima utilizes LSM to hook into system operations (such as
read_file given below).
int security_kernel_post_read_file(struct file *file, char *buf,
loff_t size,
enum kernel_read_file_id id)
{
int ret;
ret = call_int_hook(kernel_post_read_file, 0, file,
buf, size, id);
if (ret)
return ret;
return ima_post_read_file(file, buf, size, id);
}
I am currently working on an ima function to measure keys. The change
set I have submitted today is in preparation for that.
You don't have a security module that provides this hook.
We don't accept interfaces without users.
Like I have mentioned above, that change in ima will be submitted for
review shortly.
If you have suggestions for a better way to hook into key create\update
that ima can use to measure keys, I'll be happy to investigate that.
thanks,
-lakshmi
