On 11/12/2019 9:05 AM, Mimi Zohar wrote:
int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
enum ima_hooks func, int mask, int flags, int *pcr,
- struct ima_template_desc **template_desc)
+ struct ima_template_desc **template_desc,
+ char **keyrings)
{
struct ima_rule_entry *entry;
int action = 0, actmask = flags | (flags << 1);
@@ -527,6 +529,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
if ((pcr) && (entry->flags & IMA_PCR))
*pcr = entry->pcr;
+ if ((keyrings) && (entry->flags & IMA_KEYRINGS))
+ *keyrings = entry->keyrings;
ima_match_rules() determines whether the rule is in policy or not. It
returns true on rule match, false on failure. There's no need to
return the list of keyrings.
But the above code change is in ima_match_policy() - not in
ima_match_rules() function.
ima_match_rules() function is updated in Patch #1 -
[PATCH v5 01/10] IMA: Added KEYRING_CHECK func in IMA policy to measure keys
I've updated that function to check if func is "KEYRING_CHECK" and
return true\false as appropriate.
Am I missing something?
-lakshmi
