| Message ID | 20210705115650.3373599-1-roberto.sassu@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Support euid keyword for buffer measurement | expand |
On 7/5/2021 4:56 AM, Roberto Sassu wrote: Hi Roberto, > This patch makes the 'euid' keyword available for buffer measurement rules, > in the same way as for other rules. Currently, there is only support for > the 'uid' keyword. > > With this change, buffer measurement (or non-measurement) can depend also > on the process effective UID. Who (kernel component) will be using this? Maybe you could make this change as part of the patch set in which the above "euid" support will be used. thanks, -lakshmi > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > security/integrity/ima/ima_policy.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index fd5d46e511f1..fdaa030fb04b 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) > return false; > > + if (rule->flags & IMA_EUID) { > + if (has_capability_noaudit(current, CAP_SETUID)) { > + if (!rule->uid_op(cred->euid, rule->uid) > + && !rule->uid_op(cred->suid, rule->uid) > + && !rule->uid_op(cred->uid, rule->uid)) > + return false; > + } else if (!rule->uid_op(cred->euid, rule->uid)) > + return false; > + } > + > switch (rule->func) { > case KEY_CHECK: > if (!rule->keyrings) > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > if (entry->action & ~(MEASURE | DONT_MEASURE)) > return false; > > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR | > IMA_LABEL)) > return false; > >
> From: Lakshmi Ramasubramanian [mailto:nramas@linux.microsoft.com] > Sent: Tuesday, July 6, 2021 9:30 PM > On 7/5/2021 4:56 AM, Roberto Sassu wrote: > > Hi Roberto, > > > This patch makes the 'euid' keyword available for buffer measurement rules, > > in the same way as for other rules. Currently, there is only support for > > the 'uid' keyword. > > > > With this change, buffer measurement (or non-measurement) can depend > also > > on the process effective UID. > > Who (kernel component) will be using this? Hi Lakshmi I'm using it in a (not yet submitted) test for digest lists. It is in a dont_measure rule to try to unload a digest list without measurement and to check that this is not allowed if the digest list was measured at addition time (to ensure completeness of information). > Maybe you could make this change as part of the patch set in which the > above "euid" support will be used. I wanted to send the digest lists patch set without anything else. I could resend the patch as part of that patch set if it is preferred. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > thanks, > -lakshmi > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > security/integrity/ima/ima_policy.c | 12 +++++++++++- > > 1 file changed, 11 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > > index fd5d46e511f1..fdaa030fb04b 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct > ima_rule_entry *rule, > > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) > > return false; > > > > + if (rule->flags & IMA_EUID) { > > + if (has_capability_noaudit(current, CAP_SETUID)) { > > + if (!rule->uid_op(cred->euid, rule->uid) > > + && !rule->uid_op(cred->suid, rule->uid) > > + && !rule->uid_op(cred->uid, rule->uid)) > > + return false; > > + } else if (!rule->uid_op(cred->euid, rule->uid)) > > + return false; > > + } > > + > > switch (rule->func) { > > case KEY_CHECK: > > if (!rule->keyrings) > > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct > ima_rule_entry *entry) > > if (entry->action & ~(MEASURE | DONT_MEASURE)) > > return false; > > > > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | > > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | > IMA_PCR | > > IMA_LABEL)) > > return false; > > > >
Hi Roberto, On Wed, 2021-07-07 at 07:15 +0000, Roberto Sassu wrote: > > From: Lakshmi Ramasubramanian [mailto:nramas@linux.microsoft.com] > > Sent: Tuesday, July 6, 2021 9:30 PM > > On 7/5/2021 4:56 AM, Roberto Sassu wrote: > > > > Hi Roberto, > > > > > This patch makes the 'euid' keyword available for buffer measurement rules, > > > in the same way as for other rules. Currently, there is only support for > > > the 'uid' keyword. > > > > > > With this change, buffer measurement (or non-measurement) can depend > > also > > > on the process effective UID. > > > > Who (kernel component) will be using this? > > Hi Lakshmi > > I'm using it in a (not yet submitted) test for digest lists. > > It is in a dont_measure rule to try to unload a digest list > without measurement and to check that this is not allowed > if the digest list was measured at addition time (to ensure > completeness of information). > > > Maybe you could make this change as part of the patch set in which the > > above "euid" support will be used. > > I wanted to send the digest lists patch set without anything > else. I could resend the patch as part of that patch set if it is > preferred. Unless there is another usecase, please keep it with the digest list tests patch set. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> thanks, Mimi
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fd5d46e511f1..fdaa030fb04b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; + if (rule->flags & IMA_EUID) { + if (has_capability_noaudit(current, CAP_SETUID)) { + if (!rule->uid_op(cred->euid, rule->uid) + && !rule->uid_op(cred->suid, rule->uid) + && !rule->uid_op(cred->uid, rule->uid)) + return false; + } else if (!rule->uid_op(cred->euid, rule->uid)) + return false; + } + switch (rule->func) { case KEY_CHECK: if (!rule->keyrings) @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (entry->action & ~(MEASURE | DONT_MEASURE)) return false; - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR | IMA_LABEL)) return false;
This patch makes the 'euid' keyword available for buffer measurement rules, in the same way as for other rules. Currently, there is only support for the 'uid' keyword. With this change, buffer measurement (or non-measurement) can depend also on the process effective UID. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/ima/ima_policy.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)