[PATCH openEuler-21.09 06/46] ima: Add ima namespace to the ima subsystem APIs

From: Krzysztof Struczynski krzysztof.struczynski@huawei.com

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA

--------------------------------

Add ima namespace pointer to the input parameters of the relevant functions. This is a preparation for the policy namespacing, more functions may be modified later, when other aspects of the ima are namespaced.

Signed-off-by: Krzysztof Struczynski krzysztof.struczynski@huawei.com Reviewed-by: Zhang Tianxing zhangtianxing3@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/ima.h | 4 +- security/integrity/ima/ima.h | 28 ++++++++----- security/integrity/ima/ima_api.c | 9 ++-- security/integrity/ima/ima_appraise.c | 16 +++++--- security/integrity/ima/ima_asymmetric_keys.c | 3 +- security/integrity/ima/ima_fs.c | 2 +- security/integrity/ima/ima_main.c | 43 +++++++++++--------- security/integrity/ima/ima_policy.c | 42 +++++++++++-------- security/integrity/ima/ima_queue_keys.c | 3 +- 9 files changed, 90 insertions(+), 60 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h index 5cb5659c0a06..7f847cf0297c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -152,7 +152,7 @@ static inline void ima_post_key_create_or_update(struct key *keyring, #endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */

#ifdef CONFIG_IMA_APPRAISE -extern bool is_ima_appraise_enabled(void); +extern bool is_ima_appraise_enabled(const struct ima_namespace *ima_ns); extern void ima_inode_post_setattr(struct dentry *dentry); extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); @@ -164,7 +164,7 @@ extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); extern void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); #else -static inline bool is_ima_appraise_enabled(void) +static inline bool is_ima_appraise_enabled(const struct ima_namespace *ima_ns) { return 0; } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index e62bd2dfa595..8e181863565b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -268,7 +268,8 @@ static inline void ima_process_queued_keys(void) {} int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *keyring, + struct ima_namespace *ima_ns); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -278,10 +279,12 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig, int pcr, struct ima_template_desc *template_desc, - struct ima_digest *digest); + struct ima_digest *digest, + struct ima_namespace *ima_ns); void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring); + int pcr, const char *keyring, + struct ima_namespace *ima_ns); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, @@ -297,15 +300,16 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *keyring, + struct ima_namespace *ima_ns); void ima_init_policy(void); void ima_init_ns_policy(struct ima_namespace *ima_ns, const struct ima_policy_setup_data *policy_setup_data); void ima_update_policy(void); -void ima_update_policy_flag(void); +void ima_update_policy_flag(struct ima_namespace *ima_ns); ssize_t ima_parse_add_rule(char *); void ima_delete_rules(void); -int ima_check_policy(void); +int ima_check_policy(const struct ima_namespace *ima_ns); void *ima_policy_start(struct seq_file *m, loff_t *pos); void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); void ima_policy_stop(struct seq_file *m, void *v); @@ -333,20 +337,23 @@ int ima_default_appraise_setup(const char *str,

#ifdef CONFIG_IMA_APPRAISE int ima_check_blacklist(struct integrity_iint_cache *iint, - const struct modsig *modsig, int pcr); + const struct modsig *modsig, int pcr, + struct ima_namespace *ima_ns); int ima_appraise_measurement(enum ima_hooks func, struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig, struct ima_digest *found_digest); -int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); +int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func, + struct ima_namespace *ima_ns); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, enum ima_hooks func); #else static inline int ima_check_blacklist(struct integrity_iint_cache *iint, - const struct modsig *modsig, int pcr) + const struct modsig *modsig, int pcr, + struct ima_namespace *ima_ns) { return 0; } @@ -364,7 +371,8 @@ static inline int ima_appraise_measurement(enum ima_hooks func, }

static inline int ima_must_appraise(struct inode *inode, int mask, - enum ima_hooks func) + enum ima_hooks func, + struct ima_namespace *ima_ns) { return 0; } diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d9f4599dee40..b4347eac9c85 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -191,6 +191,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @pcr: pointer filled in if matched measure policy sets pcr= * @template_desc: pointer filled in if matched measure policy sets template= * @keyring: keyring name used to determine the action + * @ima_ns: ima namespace whose policy data will be used * * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= @@ -206,14 +207,15 @@ void ima_add_violation(struct file *file, const unsigned char *filename, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *keyring, + struct ima_namespace *ima_ns) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;

flags &= ima_policy_flag;

return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc, keyring); + template_desc, keyring, ima_ns); }

/* @@ -318,7 +320,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig, int pcr, struct ima_template_desc *template_desc, - struct ima_digest *digest) + struct ima_digest *digest, + struct ima_namespace *ima_ns) { static const char op[] = "add_template_measure"; static const char audit_cause[] = "ENOMEM"; diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index ad7715822e06..9213c012cbe4 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -81,10 +81,11 @@ __setup("ima_appraise_digest_list=", appraise_digest_list_setup);

/* * is_ima_appraise_enabled - return appraise status + * @ima_ns: pointer to the ima namespace being checked * * Only return enabled, if not in ima_appraise="fix" or "log" modes. */ -bool is_ima_appraise_enabled(void) +bool is_ima_appraise_enabled(const struct ima_namespace *ima_ns) { return ima_appraise & IMA_APPRAISE_ENFORCE; } @@ -94,7 +95,8 @@ bool is_ima_appraise_enabled(void) * * Return 1 to appraise or hash */ -int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) +int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func, + struct ima_namespace *ima_ns) { u32 secid;

@@ -103,7 +105,8 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)

security_task_getsecid(current, &secid); return ima_match_policy(inode, current_cred(), secid, func, mask, - IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); + IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL, + NULL); }

static int ima_fix_xattr(struct dentry *dentry, @@ -331,7 +334,8 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig, * Returns -EPERM if the hash is blacklisted. */ int ima_check_blacklist(struct integrity_iint_cache *iint, - const struct modsig *modsig, int pcr) + const struct modsig *modsig, int pcr, + struct ima_namespace *ima_ns) { enum hash_algo hash_algo; const u8 *digest = NULL; @@ -348,7 +352,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) process_buffer_measurement(NULL, digest, digestsize, "blacklisted-hash", NONE, - pcr, NULL); + pcr, NULL, NULL); }

return rc; @@ -575,7 +579,7 @@ void ima_inode_post_setattr(struct dentry *dentry) || !(inode->i_opflags & IOP_XATTR)) return;

- action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR); + action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR, NULL); iint = integrity_iint_find(inode); if (iint) { set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index 1c68c500c26f..58aa56b0422d 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -60,5 +60,6 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, */ process_buffer_measurement(NULL, payload, payload_len, keyring->description, KEY_CHECK, 0, - keyring->description); + keyring->description, + NULL); } diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index e3d5f4154586..8c45e404351e 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -527,7 +527,7 @@ static int ima_release_data_upload(struct inode *inode, struct file *file) return 0; }

- if (valid_policy && ima_check_policy() < 0) { + if (valid_policy && ima_check_policy(NULL) < 0) { cause = "failed"; valid_policy = 0; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c124ad4f2c82..422b253006fb 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -124,7 +124,8 @@ static void ima_rdwr_violation_check(struct file *file, int must_measure, char **pathbuf, const char **pathname, - char *filename) + char *filename, + struct ima_namespace *ima_ns) { struct inode *inode = file_inode(file); fmode_t mode = file->f_mode; @@ -294,7 +295,8 @@ void ima_file_free(struct file *file)

static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, - enum ima_hooks func) + enum ima_hooks func, + struct ima_namespace *ima_ns) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint = NULL; @@ -319,7 +321,7 @@ static int process_measurement(struct file *file, const struct cred *cred, * Included is the appraise submask. */ action = ima_get_action(inode, cred, secid, mask, func, &pcr, - &template_desc, NULL); + &template_desc, NULL, ima_ns); violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) @@ -341,7 +343,7 @@ static int process_measurement(struct file *file, const struct cred *cred,

if (!rc && violation_check) ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, - &pathbuf, &pathname, filename); + &pathbuf, &pathname, filename, ima_ns);

inode_unlock(inode);

@@ -442,10 +444,11 @@ static int process_measurement(struct file *file, const struct cred *cred, xattr_value, xattr_len, modsig, pcr, template_desc, ima_digest_allow(found_digest, - IMA_MEASURE)); + IMA_MEASURE), + ima_ns);

if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { - rc = ima_check_blacklist(iint, modsig, pcr); + rc = ima_check_blacklist(iint, modsig, pcr, ima_ns); if (rc != -EPERM) { inode_lock(inode); rc = ima_appraise_measurement(func, iint, file, @@ -501,7 +504,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) if (file && (prot & PROT_EXEC)) { security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_EXEC, MMAP_CHECK); + 0, MAY_EXEC, MMAP_CHECK, NULL); }

return 0; @@ -540,7 +543,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) security_task_getsecid(current, &secid); inode = file_inode(vma->vm_file); action = ima_get_action(inode, current_cred(), secid, MAY_EXEC, - MMAP_CHECK, &pcr, &template, 0); + MMAP_CHECK, &pcr, &template, 0, NULL);

/* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) @@ -579,13 +582,13 @@ int ima_bprm_check(struct linux_binprm *bprm)

security_task_getsecid(current, &secid); ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0, - MAY_EXEC, BPRM_CHECK); + MAY_EXEC, BPRM_CHECK, NULL); if (ret) return ret;

security_cred_getsecid(bprm->cred, &secid); return process_measurement(bprm->file, bprm->cred, secid, NULL, 0, - MAY_EXEC, CREDS_CHECK); + MAY_EXEC, CREDS_CHECK, NULL); }

/** @@ -606,7 +609,7 @@ int ima_file_check(struct file *file, int mask) security_task_getsecid(current, &secid); rc = process_measurement(file, current_cred(), secid, NULL, 0, mask & (MAY_READ | MAY_WRITE | MAY_EXEC | - MAY_APPEND), FILE_CHECK); + MAY_APPEND), FILE_CHECK, NULL); if (ima_current_is_parser() && !rc) ima_check_measured_appraised(file); return rc; @@ -685,7 +688,7 @@ void ima_post_create_tmpfile(struct inode *inode) struct integrity_iint_cache *iint; int must_appraise;

- must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK, NULL); if (!must_appraise) return;

@@ -712,7 +715,7 @@ void ima_post_path_mknod(struct dentry *dentry) struct inode *inode = dentry->d_inode; int must_appraise;

- must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK, NULL); if (!must_appraise) return;

@@ -763,7 +766,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, NULL, - 0, MAY_READ, func); + 0, MAY_READ, func, NULL); }

const int read_idmap[READING_MAX_ID] = { @@ -807,7 +810,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, func = read_idmap[read_id] ?: FILE_CHECK; security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, buf, size, - MAY_READ, func); + MAY_READ, func, NULL); }

/** @@ -905,7 +908,8 @@ int ima_post_load_data(char *buf, loff_t size, */ void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring) + int pcr, const char *keyring, + struct ima_namespace *ima_ns) { int ret = 0; const char *audit_cause = "ENOMEM"; @@ -937,7 +941,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(inode, current_cred(), secid, 0, func, - &pcr, &template, keyring); + &pcr, &template, keyring, NULL); if (!(action & IMA_MEASURE)) return; } @@ -1009,7 +1013,8 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) return;

process_buffer_measurement(file_inode(f.file), buf, size, - "kexec-cmdline", KEXEC_CMDLINE, 0, NULL); + "kexec-cmdline", KEXEC_CMDLINE, 0, NULL, + NULL); fdput(f); }

@@ -1038,7 +1043,7 @@ static int __init init_ima(void) pr_warn("Couldn't register LSM notifier, error %d\n", error);

if (!error) - ima_update_policy_flag(); + ima_update_policy_flag(&init_ima_ns);

return error; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fe5d0f311f1c..ebb4721032d4 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -692,6 +692,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @template_desc: the template that should be used for this rule * @keyring: the keyring name, if given, to be used to check in the policy. * keyring can be NULL if func is anything other than KEY_CHECK. + * @ima_ns: IMA namespace whose policies are being checked * * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * conditions. @@ -703,7 +704,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *keyring, + struct ima_namespace *ima_ns) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -756,8 +758,9 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, * loaded policy. Based on this flag, the decision to short circuit * out of a function or not call the function in the first place * can be made earlier. + * @ima_ns: pointer to the ima namespace whose policy flag is updated */ -void ima_update_policy_flag(void) +void ima_update_policy_flag(struct ima_namespace *ima_ns) { struct ima_rule_entry *entry;

@@ -786,7 +789,8 @@ static int ima_appraise_flag(enum ima_hooks func) return 0; }

-static void __init add_rules(struct ima_rule_entry *entries, int count, +static void __init add_rules(struct ima_policy_data *policy_data, + struct ima_rule_entry *entries, int count, enum policy_rule_list policy_rule) { int i = 0; @@ -914,19 +918,20 @@ void __init ima_init_policy(void)

/* if !ima_policy, we load NO default rules */ if (ima_policy) - add_rules(dont_measure_rules, ARRAY_SIZE(dont_measure_rules), + add_rules(NULL, + dont_measure_rules, ARRAY_SIZE(dont_measure_rules), IMA_DEFAULT_POLICY);

switch (ima_policy) { case ORIGINAL_TCB: - add_rules(original_measurement_rules, + add_rules(NULL, original_measurement_rules, ARRAY_SIZE(original_measurement_rules), IMA_DEFAULT_POLICY); break; case EXEC_TCB: fallthrough; case DEFAULT_TCB: - add_rules(default_measurement_rules, + add_rules(NULL, default_measurement_rules, ARRAY_SIZE(default_measurement_rules), IMA_DEFAULT_POLICY); default: @@ -934,7 +939,7 @@ void __init ima_init_policy(void) }

if (ima_policy) - add_rules(&ima_parser_measure_rule, 1, IMA_DEFAULT_POLICY); + add_rules(NULL, &ima_parser_measure_rule, 1, IMA_DEFAULT_POLICY);

/* * Based on runtime secure boot flags, insert arch specific measurement @@ -946,7 +951,7 @@ void __init ima_init_policy(void) if (!arch_entries) pr_info("No architecture policies found\n"); else - add_rules(arch_policy_entry, arch_entries, + add_rules(NULL, arch_policy_entry, arch_entries, IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);

/* @@ -954,7 +959,8 @@ void __init ima_init_policy(void) * signatures, prior to other appraise rules. */ if (ima_use_secure_boot || ima_use_appraise_exec_tcb) - add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules), + add_rules(NULL, + secure_boot_rules, ARRAY_SIZE(secure_boot_rules), IMA_DEFAULT_POLICY);

/* @@ -966,32 +972,34 @@ void __init ima_init_policy(void) build_appraise_entries = ARRAY_SIZE(build_appraise_rules); if (build_appraise_entries) { if (ima_use_secure_boot) - add_rules(build_appraise_rules, build_appraise_entries, + add_rules(NULL, + build_appraise_rules, build_appraise_entries, IMA_CUSTOM_POLICY); else - add_rules(build_appraise_rules, build_appraise_entries, + add_rules(NULL, + build_appraise_rules, build_appraise_entries, IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); }

if (ima_use_appraise_tcb || ima_use_appraise_exec_tcb) - add_rules(default_appraise_rules, + add_rules(NULL, default_appraise_rules, ARRAY_SIZE(default_appraise_rules), IMA_DEFAULT_POLICY);

if (ima_use_appraise_exec_tcb) - add_rules(appraise_exec_rules, + add_rules(NULL, appraise_exec_rules, ARRAY_SIZE(appraise_exec_rules), IMA_DEFAULT_POLICY);

if (ima_use_secure_boot || ima_use_appraise_tcb || ima_use_appraise_exec_tcb) - add_rules(&ima_parser_appraise_rule, 1, IMA_DEFAULT_POLICY); + add_rules(NULL, &ima_parser_appraise_rule, 1, IMA_DEFAULT_POLICY);

- ima_update_policy_flag(); + ima_update_policy_flag(NULL); }

/* Make sure we have a valid policy, at least containing some rules. */ -int ima_check_policy(void) +int ima_check_policy(const struct ima_namespace *ima_ns) { if (list_empty(&ima_temp_rules)) return -EINVAL; @@ -1027,7 +1035,7 @@ void ima_update_policy(void) */ kfree(arch_policy_entry); } - ima_update_policy_flag(); + ima_update_policy_flag(NULL);

/* Custom IMA policy has been loaded */ ima_process_queued_keys(); diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c index 69a8626a35c0..34ca54ba52b7 100644 --- a/security/integrity/ima/ima_queue_keys.c +++ b/security/integrity/ima/ima_queue_keys.c @@ -162,7 +162,8 @@ void ima_process_queued_keys(void) entry->payload_len, entry->keyring_name, KEY_CHECK, 0, - entry->keyring_name); + entry->keyring_name, + NULL); list_del(&entry->list); ima_free_key_entry(entry); }