Re: [PATCH v9 5/6] IMA: Add support to limit measuring keys

[Lakshmi Ramasubramanian]

Hi Mimi,

On 12/3/2019 4:25 AM, Mimi Zohar wrote:

> A keyring can be created by any user with any keyring name, other than
>  Âones dot prefixed, which are limited to the trusted builtin keyrings.
>  ÂWith a policy of "func=KEY_CHECK template=ima-buf keyrings=foo", for
> example, keys loaded onto any keyring named "foo" will be measured.
>  ÂFor files, the IMA policy may be constrained to a particular uid/gid.
>  ÂAn additional method of identifying or constraining keyring names
> needs to be defined.
>
> Mimi

Are you expecting a functionality like the following?

 => Measure keys added to keyring "foo", but exclude certain keys 
(based on some key identifier)

Sample policy might look like below:

action=MEASURE func=KEY_CHECK keyrings=foo|bar
action=DONT_MEASURE key_magic=blah

So a key with key_magic "blah" will not be measured even though it is 
added to the keyring "foo". But any other key added to "foo" will be 
measured.

What would the constraining field in the key may be - Can it be SHA256 
hash of the public key? Or, some other unique identifier?

Could you please clarify?

thanks,
 -lakshmi