On Tue, 2019-12-03 at 08:13 -0800, Lakshmi Ramasubramanian wrote: > On 12/3/2019 4:25 AM, Mimi Zohar wrote: > > Hi Mimi, > > > Hi Lakshmi, > > > > A keyring can be created by any user with any keyring name, other than > > ones dot prefixed, which are limited to the trusted builtin keyrings. > > With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for > > example, keys loaded onto any keyring named "foo" will be measured. > > For files, the IMA policy may be constrained to a particular uid/gid. > > An additional method of identifying or constraining keyring names > > needs to be defined. > > > > I agree - this is a good idea. > > Do you think this can be added as a separate patch set - enhancement to > the current one, or should this be addressed in the current set? > > I was just about to send an update today that addresses your latest > comments. Will hold it if you think the above change should be included > now. Please let me know. I'm hoping that it won't be all that difficult to implement and could be included in this patch set as an additional patch. Mimi