From: Tyler Hicks tyhicks@linux.microsoft.com
[ Upstream commit 48ce1ddce16b0d1e3ff948da40a0d5125a4ee1a0 ]
Measuring keys is currently only supported for asymmetric keys. In the future, this might change.
For now, the "func=KEY_CHECK" and "keyrings=" options are only appropriate when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Make this clear at policy load so that IMA policy authors don't assume that these policy language constructs are supported.
Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy") Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys") Suggested-by: Nayna Jain nayna@linux.ibm.com Signed-off-by: Tyler Hicks tyhicks@linux.microsoft.com Reviewed-by: Lakshmi Ramasubramanian nramas@linux.microsoft.com Reviewed-by: Nayna Jain nayna@linux.ibm.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Sasha Levin sashal@kernel.org --- security/integrity/ima/ima_policy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 9354e7cf4a09f..4a7a4b6bf79b2 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1233,7 +1233,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = POLICY_CHECK; else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) entry->func = KEXEC_CMDLINE; - else if (strcmp(args[0].from, "KEY_CHECK") == 0) + else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && + strcmp(args[0].from, "KEY_CHECK") == 0) entry->func = KEY_CHECK; else result = -EINVAL; @@ -1290,7 +1291,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) case Opt_keyrings: ima_log_string(ab, "keyrings", args[0].from);
- if (entry->keyrings) { + if (!IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) || + entry->keyrings) { result = -EINVAL; break; }