Hi Tushar, On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote: > ima_match_rule_data() permits the func to pass empty func_data. > For instance, for the following func, the func_data keyrings= is > optional. > measure func=KEY_CHECK keyrings=.ima > > But a new func in future may want to constrain the func_data to > be non-empty. ima_match_rule_data() should support this constraint > and it shouldn't be hard-coded in ima_match_rule_data(). > > Update ima_match_rule_data() to conditionally allow empty func_data > for the func that needs it. > > Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx> Policy rules may constrain what is measured, but that decision should be left to the system owner or admin. Mimi
