From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v5 10/16] ima: Implement hierarchical processing of file accesses
Date: Wed, 8 Dec 2021 17:18:12 -0500 [thread overview]
Message-ID: <20211208221818.1519628-11-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20211208221818.1519628-1-stefanb@linux.ibm.com>
Implement hierarchical processing of file accesses in IMA namespaces by
walking the list of IMA namespaces towards the init_ima_ns. This way
file accesses can be audited in an IMA namespace and also be evaluated
against the IMA policies of parent IMA namespaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/integrity/ima/ima_main.c | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2121a831f38a..70fa26b7bd3f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -200,10 +200,10 @@ void ima_file_free(struct file *file)
ima_check_last_writer(iint, inode, file);
}
-static int process_measurement(struct ima_namespace *ns,
- struct file *file, const struct cred *cred,
- u32 secid, char *buf, loff_t size, int mask,
- enum ima_hooks func)
+static int __process_measurement(struct ima_namespace *ns,
+ struct file *file, const struct cred *cred,
+ u32 secid, char *buf, loff_t size, int mask,
+ enum ima_hooks func)
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL;
@@ -405,6 +405,27 @@ static int process_measurement(struct ima_namespace *ns,
return 0;
}
+static int process_measurement(struct ima_namespace *ns,
+ struct file *file, const struct cred *cred,
+ u32 secid, char *buf, loff_t size, int mask,
+ enum ima_hooks func)
+{
+ struct user_namespace *user_ns = ns->user_ns;
+ int ret = 0;
+
+ while (user_ns) {
+ ns = user_ns->ima_ns;
+
+ ret = __process_measurement(ns, file, cred, secid, buf, size, mask, func);
+ if (ret)
+ break;
+
+ user_ns = user_ns->parent;
+ };
+
+ return ret;
+}
+
/**
* ima_file_mmap - based on policy, collect/store measurement.
* @file: pointer to the file to be measured (May be NULL)
--
2.31.1
next prev parent reply other threads:[~2021-12-08 22:18 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 22:18 [PATCH v5 00/16] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-08 22:18 ` [PATCH v5 01/16] ima: Add IMA namespace support Stefan Berger
2021-12-09 4:40 ` kernel test robot
2021-12-09 4:40 ` kernel test robot
2021-12-09 10:56 ` kernel test robot
2021-12-09 10:56 ` kernel test robot
2021-12-09 13:19 ` kernel test robot
2021-12-09 13:19 ` kernel test robot
2021-12-10 16:00 ` kernel test robot
2021-12-10 16:00 ` kernel test robot
2021-12-08 22:18 ` [PATCH v5 02/16] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-08 22:18 ` [PATCH v5 03/16] ima: Namespace audit status flags Stefan Berger
2021-12-08 22:18 ` [PATCH v5 04/16] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-12-09 13:11 ` Christian Brauner
2021-12-09 15:09 ` Stefan Berger
2021-12-08 22:18 ` [PATCH v5 05/16] ima: Move IMA's keys queue related " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 06/16] ima: Move policy " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 07/16] ima: Move ima_htable " Stefan Berger
2021-12-09 16:26 ` kernel test robot
2021-12-09 16:26 ` kernel test robot
2021-12-08 22:18 ` [PATCH v5 08/16] ima: Move measurement list related variables " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 09/16] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-08 22:18 ` Stefan Berger [this message]
2021-12-08 22:18 ` [PATCH v5 11/16] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns Stefan Berger
2021-12-08 22:18 ` [PATCH v5 12/16] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-08 22:18 ` [PATCH v5 13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-09 19:11 ` Christian Brauner
2021-12-09 20:42 ` Stefan Berger
2021-12-10 0:57 ` Stefan Berger
2021-12-10 11:32 ` Christian Brauner
2021-12-10 13:57 ` Stefan Berger
2021-12-10 14:21 ` James Bottomley
2021-12-11 9:50 ` Christian Brauner
2021-12-11 10:45 ` Christian Brauner
2021-12-13 15:33 ` Stefan Berger
2021-12-13 15:50 ` Christian Brauner
2021-12-13 16:03 ` Christian Brauner
2021-12-13 16:25 ` Stefan Berger
2021-12-13 16:37 ` Christian Brauner
2021-12-13 16:40 ` Christian Brauner
2021-12-10 20:08 ` Stefan Berger
2021-12-11 8:46 ` Christian Brauner
2021-12-08 22:18 ` [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-09 7:22 ` Denis Semakin
2021-12-09 13:23 ` James Bottomley
2021-12-09 8:09 ` Denis Semakin
2021-12-11 15:02 ` Serge E. Hallyn
2021-12-11 15:38 ` Stefan Berger
2021-12-11 16:00 ` James Bottomley
2021-12-08 22:18 ` [PATCH v5 15/16] ima: Move dentries into ima_namespace Stefan Berger
2021-12-09 14:34 ` Christian Brauner
2021-12-09 14:37 ` Christian Brauner
2021-12-09 14:41 ` Christian Brauner
2021-12-09 15:00 ` Stefan Berger
2021-12-09 15:47 ` Christian Brauner
2021-12-09 15:30 ` James Bottomley
2021-12-09 19:38 ` James Bottomley
2021-12-09 20:13 ` Stefan Berger
2021-12-10 11:49 ` Christian Brauner
2021-12-10 12:09 ` Mimi Zohar
2021-12-10 12:40 ` Stefan Berger
2021-12-10 13:02 ` Mimi Zohar
2021-12-10 14:17 ` Stefan Berger
2021-12-10 14:26 ` James Bottomley
2021-12-10 15:26 ` Mimi Zohar
2021-12-10 15:32 ` Stefan Berger
2021-12-10 15:48 ` Mimi Zohar
2021-12-10 16:40 ` Stefan Berger
2021-12-10 12:40 ` James Bottomley
2021-12-10 12:54 ` Mimi Zohar
2021-12-12 14:13 ` James Bottomley
2021-12-13 11:25 ` Christian Brauner
2021-12-08 22:18 ` [PATCH v5 16/16] ima: Setup securityfs for IMA namespace Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211208221818.1519628-11-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.