From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com, brauner@kernel.org,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
jpenumak@redhat.com, Stefan Berger <stefanb@linux.ibm.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Denis Semakin <denis.semakin@huawei.com>
Subject: [PATCH v15 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable()
Date: Mon, 6 Feb 2023 09:02:38 -0500 [thread overview]
Message-ID: <20230206140253.3755945-12-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20230206140253.3755945-1-stefanb@linux.ibm.com>
Define mac_admin_ns_capable() as a wrapper for the combined ns_capable()
checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return
true on the check if either capability or both are available.
Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will allow
an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has
less privileges than CAP_SYS_ADMIN.
Since CAP_MAC_ADMIN is an additional capability added to an existing gate
avoid auditing in case it is not set.
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
v13:
- implemented file_sb_user_ns(const struct file *); const is needed so it
can be called with seq_file's 'const struct file *file'
v11:
- use ns_capable_noaudit for CAP_MAC_ADMIN to avoid auditing in this case
---
include/linux/capability.h | 6 ++++++
include/linux/fs.h | 5 +++++
security/integrity/ima/ima.h | 6 ++++++
security/integrity/ima/ima_fs.c | 5 ++++-
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..dc3e1230b365 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
ns_capable(ns, CAP_SYS_ADMIN);
}
+static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+ return ns_capable_noaudit(ns, CAP_MAC_ADMIN) ||
+ ns_capable(ns, CAP_SYS_ADMIN);
+}
+
/* audit system wants to get cap info from files as well */
int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
const struct dentry *dentry,
diff --git a/include/linux/fs.h b/include/linux/fs.h
index c1769a2c5d70..4662efed3171 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2730,6 +2730,11 @@ static inline struct user_namespace *file_mnt_user_ns(struct file *file)
return mnt_user_ns(file->f_path.mnt);
}
+static inline struct user_namespace *file_sb_user_ns(const struct file *file)
+{
+ return i_user_ns(file_inode(file));
+}
+
static inline struct mnt_idmap *file_mnt_idmap(struct file *file)
{
return mnt_idmap(file->f_path.mnt);
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 4de8ec776611..69f95ed0b8c6 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -492,4 +492,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
#define POLICY_FILE_FLAGS S_IWUSR
#endif /* CONFIG_IMA_READ_POLICY */
+static inline
+struct user_namespace *ima_user_ns_from_file(const struct file *filp)
+{
+ return file_sb_user_ns(filp);
+}
+
#endif /* __LINUX_IMA_H */
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 89d3113ceda1..c41aa61b7393 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = {
*/
static int ima_open_policy(struct inode *inode, struct file *filp)
{
+#ifdef CONFIG_IMA_READ_POLICY
+ struct user_namespace *user_ns = ima_user_ns_from_file(filp);
+#endif
struct ima_namespace *ns = &init_ima_ns;
if (!(filp->f_flags & O_WRONLY)) {
@@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
#else
if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
return -EACCES;
- if (!capable(CAP_SYS_ADMIN))
+ if (!mac_admin_ns_capable(user_ns))
return -EPERM;
return seq_open(filp, &ima_policy_seqops);
#endif
--
2.37.3
next prev parent reply other threads:[~2023-02-06 14:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-06 14:02 [PATCH v15 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2023-02-06 14:02 ` [PATCH v15 01/26] securityfs: rework dentry creation Stefan Berger
2023-02-10 0:39 ` Jarkko Sakkinen
2023-02-06 14:02 ` [PATCH v15 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2023-02-06 14:02 ` [PATCH v15 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2023-02-06 14:02 ` [PATCH v15 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2023-02-06 14:02 ` [PATCH v15 05/26] ima: Move ima_htable " Stefan Berger
2023-02-06 14:02 ` [PATCH v15 06/26] ima: Move measurement list related variables " Stefan Berger
2023-02-06 14:02 ` [PATCH v15 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2023-02-06 14:02 ` [PATCH v15 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2023-02-06 14:02 ` [PATCH v15 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2023-02-06 14:02 ` [PATCH v15 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2023-02-06 14:02 ` Stefan Berger [this message]
2023-02-06 14:02 ` [PATCH v15 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2023-02-06 14:02 ` [PATCH v15 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2023-02-06 14:02 ` [PATCH v15 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2023-02-06 14:02 ` [PATCH v15 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2023-02-06 14:02 ` [PATCH v15 16/26] ima: Add functions for creating and " Stefan Berger
2023-02-06 14:02 ` [PATCH v15 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2023-02-06 14:02 ` [PATCH v15 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2023-02-06 14:02 ` [PATCH v15 19/26] ima: Namespace audit status flags Stefan Berger
2023-02-06 14:02 ` [PATCH v15 20/26] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2023-02-06 14:02 ` [PATCH v15 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2023-02-06 14:02 ` [PATCH v15 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2023-02-06 14:02 ` [PATCH v15 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2023-02-06 14:02 ` [PATCH v15 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2023-02-06 14:02 ` [PATCH v15 25/26] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2023-02-06 14:02 ` [PATCH v15 26/26] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230206140253.3755945-12-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=denis.semakin@huawei.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.