From: Stefan Berger <stefanb@linux.ibm.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, jpenumak@redhat.com
Subject: Re: [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy
Date: Tue, 24 May 2022 09:19:26 -0400 [thread overview]
Message-ID: <e1c3941e-80d4-f8f2-774e-01bd89fd474a@linux.ibm.com> (raw)
In-Reply-To: <20220522175452.GB24519@mail.hallyn.com>
On 5/22/22 13:54, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:30AM -0400, Stefan Berger wrote:
>> Show the uid and gid values relative to the user namespace that is
>> currently active. The effect of this changes is that when one displays
>
> When you say "is currently active", in my mind it's not clear whether you
> mean in the process which opened the seq_file, or is active in the ima_ns,
> or the reader (which might I guess be differenet still). The code of
> course does make it clear. Can you change it to say "the user namespace
> which opened the policy_show file" or something like that?
>
> Also, s/The effect of this changes/The effect of this change/.
>
>> the policy from the user namespace that originally set the policy,
>> the same uid and gid values are shown in the policy as those that were
>> used when the policy was set.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>
>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
I modified the text above now to state:
Show the uid and gid values relative to the user namespace that opened
the IMA policy file. The effect of this change is that when one displays
the policy from the user namespace that originally set the policy,
the same uid and gid values are shown in the policy as those that were
used when the policy was set.
Thanks.
Stefan
>
>> ---
>> v9:
>> - use seq_user_ns and from_k{g,u}id_munged()
>> ---
>> security/integrity/ima/ima_policy.c | 19 +++++++++++++------
>> 1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index eb10d895923d..4f8c50ddb777 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -2018,6 +2018,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
>>
>> int ima_policy_show(struct seq_file *m, void *v)
>> {
>> + struct user_namespace *user_ns = seq_user_ns(m);
>> struct ima_rule_entry *entry = v;
>> int i;
>> char tbuf[64] = {0,};
>> @@ -2103,7 +2104,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_UID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kuid_munged(user_ns, entry->uid));
>> if (entry->uid_op == &uid_gt)
>> seq_printf(m, pt(Opt_uid_gt), tbuf);
>> else if (entry->uid_op == &uid_lt)
>> @@ -2114,7 +2116,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_EUID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kuid_munged(user_ns, entry->uid));
>> if (entry->uid_op == &uid_gt)
>> seq_printf(m, pt(Opt_euid_gt), tbuf);
>> else if (entry->uid_op == &uid_lt)
>> @@ -2125,7 +2128,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_GID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kgid_munged(user_ns, entry->gid));
>> if (entry->gid_op == &gid_gt)
>> seq_printf(m, pt(Opt_gid_gt), tbuf);
>> else if (entry->gid_op == &gid_lt)
>> @@ -2136,7 +2140,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_EGID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kgid_munged(user_ns, entry->gid));
>> if (entry->gid_op == &gid_gt)
>> seq_printf(m, pt(Opt_egid_gt), tbuf);
>> else if (entry->gid_op == &gid_lt)
>> @@ -2147,7 +2152,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_FOWNER) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kuid_munged(user_ns, entry->fowner));
>> if (entry->fowner_op == &uid_gt)
>> seq_printf(m, pt(Opt_fowner_gt), tbuf);
>> else if (entry->fowner_op == &uid_lt)
>> @@ -2158,7 +2164,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_FGROUP) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kgid_munged(user_ns, entry->fgroup));
>> if (entry->fgroup_op == &gid_gt)
>> seq_printf(m, pt(Opt_fgroup_gt), tbuf);
>> else if (entry->fgroup_op == &gid_lt)
>> --
>> 2.34.1
next prev parent reply other threads:[~2022-05-24 13:19 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 14:06 [PATCH v12 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 01/26] securityfs: rework dentry creation Stefan Berger
2022-05-09 19:54 ` Serge E. Hallyn
2022-05-09 20:36 ` Serge E. Hallyn
2022-05-10 8:43 ` Amir Goldstein
2022-05-10 10:38 ` Christian Brauner
2022-05-10 14:51 ` Serge E. Hallyn
2022-05-10 14:53 ` Serge E. Hallyn
2022-05-10 10:26 ` Christian Brauner
2022-05-10 10:25 ` Christian Brauner
2022-05-10 14:10 ` Serge E. Hallyn
2022-05-10 15:51 ` Christian Brauner
2022-05-10 18:51 ` Serge E. Hallyn
2022-05-10 20:41 ` Serge E. Hallyn
2022-06-09 14:27 ` Mimi Zohar
2022-05-10 16:50 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-05-21 2:23 ` Serge E. Hallyn
2022-05-21 9:38 ` Christian Brauner
2022-05-21 15:09 ` Serge E. Hallyn
2022-07-07 14:34 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-05-21 2:33 ` Serge E. Hallyn
2022-05-24 14:57 ` Stefan Berger
2022-05-24 15:05 ` Serge E. Hallyn
2022-05-24 16:18 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-05-21 2:46 ` Serge E. Hallyn
2022-05-21 3:07 ` Serge E. Hallyn
2022-07-07 14:12 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 05/26] ima: Move ima_htable " Stefan Berger
2022-05-21 2:50 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 06/26] ima: Move measurement list related variables " Stefan Berger
2022-05-21 2:55 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2022-05-21 3:03 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-05-21 3:24 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-05-22 2:35 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-05-22 17:06 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-05-22 17:31 ` Serge E. Hallyn
2022-05-24 14:17 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-05-22 17:38 ` Serge E. Hallyn
2022-05-24 13:25 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-05-22 18:24 ` Serge E. Hallyn
2022-05-23 9:59 ` Christian Brauner
2022-05-23 11:31 ` Stefan Berger
2022-05-23 12:41 ` Christian Brauner
2022-05-23 12:58 ` Stefan Berger
2022-05-23 14:25 ` Serge E. Hallyn
2022-07-07 14:14 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-05-23 0:42 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-05-23 0:43 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 16/26] ima: Add functions for creating and " Stefan Berger
2022-05-30 1:07 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-04-20 14:06 ` [PATCH v12 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-04-20 14:06 ` [PATCH v12 19/26] ima: Namespace audit status flags Stefan Berger
2022-04-20 14:06 ` [PATCH v12 20/26] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-04-20 14:06 ` [PATCH v12 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2022-05-30 1:16 ` Serge E. Hallyn
2022-05-31 19:26 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2022-04-20 14:06 ` [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-05-22 17:54 ` Serge E. Hallyn
2022-05-24 13:19 ` Stefan Berger [this message]
2022-04-20 14:06 ` [PATCH v12 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 25/26] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 26/26] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1c3941e-80d4-f8f2-774e-01bd89fd474a@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.