[v8,08/19] ima: Use mac_admin_ns_capable() to check corresponding capability

Commit Message

Stefan Berger Jan. 4, 2022, 5:04 p.m. UTC

From: Stefan Berger <stefanb@linux.ibm.com>

Use mac_admin_ns_capable() to check corresponding capability to allow
read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.

Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 include/linux/capability.h      | 6 ++++++
 security/integrity/ima/ima.h    | 6 ++++++
 security/integrity/ima/ima_fs.c | 3 ++-
 3 files changed, 14 insertions(+), 1 deletion(-)

Comments

kernel test robot Jan. 5, 2022, 8:55 p.m. UTC | #1

Hi Stefan,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linux/master]
[also build test WARNING on linus/master v5.16-rc8]
[cannot apply to zohar-integrity/next-integrity jmorris-security/next-testing next-20220105]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220105-010946
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 136057256686de39cc3a07c2e39ef6bc43003ff6
config: mips-randconfig-r002-20220105 (https://download.01.org/0day-ci/archive/20220106/202201060430.LHZbFhad-lkp@intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project d5b6e30ed3acad794dd0aec400e617daffc6cc3d)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install mips cross compiling tool for clang build
        # apt-get install binutils-mips-linux-gnu
        # https://github.com/0day-ci/linux/commit/fa09a3da70380ef32e9a644c08a04cc8f4630baf
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Stefan-Berger/ima-Namespace-IMA-with-audit-support-in-IMA-ns/20220105-010946
        git checkout fa09a3da70380ef32e9a644c08a04cc8f4630baf
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=mips SHELL=/bin/bash drivers/nvmem/ security/integrity/ima/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> security/integrity/ima/ima_fs.c:380:25: warning: unused variable 'user_ns'
   struct user_namespace = ima_user_ns_from_file(filp);
   ^
   fatal error: error in backend: Nested variants found in inline asm string: ' .set push
   .set mips64r2
   .if ( 0x00 ) != -1)) 0x00 ) != -1)) : ($( static struct ftrace_branch_data __attribute__((__aligned__(4))) __attribute__((__section__("_ftrace_branch"))) __if_trace = $( .func = __func__, .file = "arch/mips/include/asm/bitops.h", .line = 192, $); 0x00 ) != -1)) : $))) ) && ( 0 ); .set push; .set mips64r2; .rept 1; sync 0x00; .endr; .set pop; .else; ; .endif
   1: ll $0, $2
   or $1, $0, $3
   sc $1, $2
   beqz $1, 1b
   .set pop
   '
   PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
   Stack dump:
   0. Program arguments: clang -Wp,-MMD,security/integrity/ima/.ima_fs.o.d -nostdinc -Iarch/mips/include -I./arch/mips/include/generated -Iinclude -I./include -Iarch/mips/include/uapi -I./arch/mips/include/generated/uapi -Iinclude/uapi -I./include/generated/uapi -include include/linux/compiler-version.h -include include/linux/kconfig.h -include include/linux/compiler_types.h -D__KERNEL__ -DVMLINUX_LOAD_ADDRESS=0xffffffff84000000 -DLINKER_LOAD_ADDRESS=0x84000000 -DDATAOFFSET=0 -Qunused-arguments -fmacro-prefix-map== -DKBUILD_EXTRA_WARN1 -Wall -Wundef -Werror=strict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -fshort-wchar -fno-PIE -Werror=implicit-function-declaration -Werror=implicit-int -Werror=return-type -Wno-format-security -std=gnu89 --target=mipsel-linux -fintegrated-as -Werror=unknown-warning-option -Werror=ignored-optimization-argument -mno-check-zero-division -mabi=32 -G 0 -mno-abicalls -fno-pic -pipe -msoft-float -DGAS_HAS_SET_HARDFLOAT -Wa,-msoft-float -ffreestanding -EL -fno-stack-check -march=mips32 -Wa,--trap -DTOOLCHAIN_SUPPORTS_VIRT -Iarch/mips/include/asm/mach-au1x00 -Iarch/mips/include/asm/mach-generic -fno-asynchronous-unwind-tables -fno-delete-null-pointer-checks -Wno-frame-address -Wno-address-of-packed-member -O2 -Wframe-larger-than=1024 -fno-stack-protector -Wimplicit-fallthrough -Wno-gnu -mno-global-merge -Wno-unused-but-set-variable -Wno-unused-const-variable -ftrivial-auto-var-init=pattern -fno-stack-clash-protection -pg -falign-functions=64 -Wdeclaration-after-statement -Wvla -Wno-pointer-sign -Wno-array-bounds -fno-strict-overflow -fno-stack-check -Werror=date-time -Werror=incompatible-pointer-types -Wextra -Wunused -Wno-unused-parameter -Wmissing-declarations -Wmissing-format-attribute -Wmissing-prototypes -Wold-style-definition -Wmissing-include-dirs -Wunused-but-set-variable -Wunused-const-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -fsanitize=array-bounds -fsanitize=unreachable -fsanitize=object-size -fsanitize=enum -fsanitize-coverage=trace-pc -I security/integrity/ima -I ./security/integrity/ima -ffunction-sections -fdata-sections -DKBUILD_MODFILE="security/integrity/ima/ima" -DKBUILD_BASENAME="ima_fs" -DKBUILD_MODNAME="ima" -D__KBUILD_MODNAME=kmod_ima -c -o security/integrity/ima/ima_fs.o security/integrity/ima/ima_fs.c
   1. <eof> parser at end of file
   2. Code generation
   3. Running pass 'Function Pass Manager' on module 'security/integrity/ima/ima_fs.c'.
   4. Running pass 'Mips Assembly Printer' on function '@ima_open_policy'
   #0 0x0000557a749c4b3f Signals.cpp:0:0
   #1 0x0000557a749c2a8c llvm::sys::CleanupOnSignal(unsigned long) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3401a8c)
   #2 0x0000557a74906667 llvm::CrashRecoveryContext::HandleExit(int) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3345667)
   #3 0x0000557a749bb13e llvm::sys::Process::Exit(int, bool) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x33fa13e)
   #4 0x0000557a7264133b (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x108033b)
   #5 0x0000557a7490d10c llvm::report_fatal_error(llvm::Twine const&, bool) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x334c10c)
   #6 0x0000557a755ef9b8 llvm::AsmPrinter::emitInlineAsm(llvm::MachineInstr const (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x402e9b8)
   #7 0x0000557a755eb759 llvm::AsmPrinter::emitFunctionBody() (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x402a759)
   #8 0x0000557a7309c82e llvm::MipsAsmPrinter::runOnMachineFunction(llvm::MachineFunction&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x1adb82e)
   #9 0x0000557a73d332fd llvm::MachineFunctionPass::runOnFunction(llvm::Function&) (.part.53) MachineFunctionPass.cpp:0:0
   #10 0x0000557a7416b867 llvm::FPPassManager::runOnFunction(llvm::Function&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x2baa867)
   #11 0x0000557a7416b9e1 llvm::FPPassManager::runOnModule(llvm::Module&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x2baa9e1)
   #12 0x0000557a7416ccbf llvm::legacy::PassManagerImpl::run(llvm::Module&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x2babcbf)
   #13 0x0000557a74cd64fa clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x37154fa)
   #14 0x0000557a75903ea3 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x4342ea3)
   #15 0x0000557a76407fd9 clang::ParseAST(clang::Sema&, bool, bool) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x4e46fd9)
   #16 0x0000557a75902cff clang::CodeGenAction::ExecuteAction() (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x4341cff)
   #17 0x0000557a75302001 clang::FrontendAction::Execute() (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3d41001)
   #18 0x0000557a75299bda clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3cd8bda)
   #19 0x0000557a753cb07b (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3e0a07b)
   #20 0x0000557a72642084 cc1_main(llvm::ArrayRef<char char (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x1081084)
   #21 0x0000557a7263f5cb ExecuteCC1Tool(llvm::SmallVectorImpl<char driver.cpp:0:0
   #22 0x0000557a75136b15 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> const::'lambda'()>(long) Job.cpp:0:0
   #23 0x0000557a74906523 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3345523)
   #24 0x0000557a7513740e clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> const (.part.216) Job.cpp:0:0
   #25 0x0000557a7510dee7 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3b4cee7)
   #26 0x0000557a7510e8c7 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command >&) const (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3b4d8c7)
   #27 0x0000557a75118139 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command >&) (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x3b57139)
   #28 0x0000557a7256a19f main (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0xfa919f)
   #29 0x00007fc0e7a42d0a __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d0a)
   #30 0x0000557a7263f0ea _start (/opt/cross/clang-d5b6e30ed3/bin/clang-14+0x107e0ea)
   clang-14: error: clang frontend command failed with exit code 70 (use -v to see invocation)
   clang version 14.0.0 (git://gitmirror/llvm_project d5b6e30ed3acad794dd0aec400e617daffc6cc3d)
   Target: mipsel-unknown-linux
   Thread model: posix
   InstalledDir: /opt/cross/clang-d5b6e30ed3/bin
   clang-14: note: diagnostic msg:
   Makefile arch drivers include kernel nr_bisected scripts security source usr


vim +/user_ns +380 security/integrity/ima/ima_fs.c

   374	
   375	/*
   376	 * ima_open_policy: sequentialize access to the policy file
   377	 */
   378	static int ima_open_policy(struct inode *inode, struct file *filp)
   379	{
 > 380		struct user_namespace *user_ns = ima_user_ns_from_file(filp);
   381		struct ima_namespace *ns = &init_ima_ns;
   382	
   383		if (!(filp->f_flags & O_WRONLY)) {
   384	#ifndef	CONFIG_IMA_READ_POLICY
   385			return -EACCES;
   386	#else
   387			if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
   388				return -EACCES;
   389			if (!mac_admin_ns_capable(user_ns))
   390				return -EPERM;
   391			return seq_open(filp, &ima_policy_seqops);
   392	#endif
   393		}
   394		if (test_and_set_bit(IMA_FS_BUSY, &ns->ima_fs_flags))
   395			return -EBUSY;
   396		return 0;
   397	}
   398	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Mimi Zohar Jan. 13, 2022, 8:28 p.m. UTC | #2

Hi Stefan, Denis,

mac_admin_ns_capable() is being introduced in this patch.  Either
rename the "Subject" line as "ima: replace capable() call with
ns_capable()" or "ima: define mac_admin_ns_capable() as a wrapper for
ns_capable()".

On Tue, 2022-01-04 at 12:04 -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Use mac_admin_ns_capable() to check corresponding capability to allow
> read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.

Updatethe patch description accordingly.

> 
> Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

thanks,

Mimi

Patch

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@  static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
 		ns_capable(ns, CAP_SYS_ADMIN);
 }
 
+static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+	return ns_capable(ns, CAP_MAC_ADMIN) ||
+		ns_capable(ns, CAP_SYS_ADMIN);
+}
+
 /* audit system wants to get cap info from files as well */
 int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
 			   const struct dentry *dentry,
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 224b09617c52..0c86a955cedf 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -483,6 +483,12 @@  static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
 #define	POLICY_FILE_FLAGS	S_IWUSR
 #endif /* CONFIG_IMA_READ_POLICY */
 
+static inline
+struct user_namespace *ima_user_ns_from_file(const struct file *filp)
+{
+	return file_inode(filp)->i_sb->s_user_ns;
+}
+
 static inline struct ima_namespace *get_current_ns(void)
 {
 	return &init_ima_ns;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 5b6404991b37..71302bb5427f 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -377,6 +377,7 @@  static const struct seq_operations ima_policy_seqops = {
  */
 static int ima_open_policy(struct inode *inode, struct file *filp)
 {
+	struct user_namespace *user_ns = ima_user_ns_from_file(filp);
 	struct ima_namespace *ns = &init_ima_ns;
 
 	if (!(filp->f_flags & O_WRONLY)) {
@@ -385,7 +386,7 @@  static int ima_open_policy(struct inode *inode, struct file *filp)
 #else
 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 			return -EACCES;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!mac_admin_ns_capable(user_ns))
 			return -EPERM;
 		return seq_open(filp, &ima_policy_seqops);
 #endif