Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2019-12-03 at 08:13 -0800, Lakshmi Ramasubramanian wrote:
> On 12/3/2019 4:25 AM, Mimi Zohar wrote:
> 
> Hi Mimi,
> 
> > Hi Lakshmi,
> > 
> > A keyring can be created by any user with any keyring name, other than
> >   ones dot prefixed, which are limited to the trusted builtin keyrings.
> >   With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> > example, keys loaded onto any keyring named "foo" will be measured.
> >   For files, the IMA policy may be constrained to a particular uid/gid.
> >   An additional method of identifying or constraining keyring names
> > needs to be defined.
> > 
> 
> I agree - this is a good idea.
> 
> Do you think this can be added as a separate patch set - enhancement to 
> the current one, or should this be addressed in the current set?
> 
> I was just about to send an update today that addresses your latest 
> comments. Will hold it if you think the above change should be included 
> now. Please let me know.

I'm hoping that it won't be all that difficult to implement and could
be included in this patch set as an additional patch.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux