Hi Mimi,
On 12/3/2019 4:25 AM, Mimi Zohar wrote:
A keyring can be created by any user with any keyring name, other than
ones dot prefixed, which are limited to the trusted builtin keyrings.
With a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
example, keys loaded onto any keyring named "foo" will be measured.
For files, the IMA policy may be constrained to a particular uid/gid.
An additional method of identifying or constraining keyring names
needs to be defined.
Mimi
Are you expecting a functionality like the following?
=> Measure keys added to keyring "foo", but exclude certain keys
(based on some key identifier)
Sample policy might look like below:
action=MEASURE func=KEY_CHECK keyrings=foo|bar
action=DONT_MEASURE key_magic=blah
So a key with key_magic "blah" will not be measured even though it is
added to the keyring "foo". But any other key added to "foo" will be
measured.
What would the constraining field in the key may be - Can it be SHA256
hash of the public key? Or, some other unique identifier?
Could you please clarify?
thanks,
-lakshmi
