Commit 48ce1ddc authored by Tyler Hicks's avatar Tyler Hicks Committed by Mimi Zohar

ima: Fail rule parsing when asymmetric key measurement isn't supportable

Measuring keys is currently only supported for asymmetric keys. In the
future, this might change.

For now, the "func=KEY_CHECK" and "keyrings=" options are only
appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make
this clear at policy load so that IMA policy authors don't assume that
these policy language constructs are supported.

Fixes: 2b60c0ec ("IMA: Read keyrings= option from the IMA policy")
Fixes: 5808611c ("IMA: Add KEY_CHECK func to measure keys")
Suggested-by: default avatarNayna Jain <nayna@linux.ibm.com>
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reviewed-by: default avatarNayna Jain <nayna@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 176377d9
......@@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->func = POLICY_CHECK;
else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
entry->func = KEXEC_CMDLINE;
else if (strcmp(args[0].from, "KEY_CHECK") == 0)
else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
strcmp(args[0].from, "KEY_CHECK") == 0)
entry->func = KEY_CHECK;
else
result = -EINVAL;
......@@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
case Opt_keyrings:
ima_log_string(ab, "keyrings", args[0].from);
if (entry->keyrings) {
if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) ||
entry->keyrings) {
result = -EINVAL;
break;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment