On 12/3/2019 4:25 AM, Mimi Zohar wrote:
Hi Mimi,
Hi Lakshmi,
A keyring can be created by any user with any keyring name, other than
ones dot prefixed, which are limited to the trusted builtin keyrings.
With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
example, keys loaded onto any keyring named "foo" will be measured.
For files, the IMA policy may be constrained to a particular uid/gid.
An additional method of identifying or constraining keyring names
needs to be defined.
I agree - this is a good idea.
Do you think this can be added as a separate patch set - enhancement to
the current one, or should this be addressed in the current set?
I was just about to send an update today that addresses your latest
comments. Will hold it if you think the above change should be included
now. Please let me know.
thanks,
-lakshmi