linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christian Brauner <christian.brauner@ubuntu.com>
To: Roberto Sassu <roberto.sassu@huawei.com>
Cc: zohar@linux.ibm.com, mjg59@srcf.ucam.org,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/7] ima: Define new template fields iuid and igid
Date: Fri, 28 May 2021 10:25:08 +0200	[thread overview]
Message-ID: <20210528082508.lqolb3r2oepf3god@wittgenstein> (raw)
In-Reply-To: <20210528073812.407936-3-roberto.sassu@huawei.com>

On Fri, May 28, 2021 at 09:38:07AM +0200, Roberto Sassu wrote:
> This patch defines the new template fields iuid and igid, which include
> respectively the inode UID and GID. For idmapped mounts, still the original
> UID and GID are provided.
> 
> These fields can be used to verify the EVM portable signature, if it was
> included with the template fields sig or evmsig.
> 
> Cc: Christian Brauner <christian.brauner@ubuntu.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---

That's fine with me. Thanks, Robert!
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

>  Documentation/security/IMA-templates.rst  |  2 +
>  security/integrity/ima/ima_template.c     |  4 ++
>  security/integrity/ima/ima_template_lib.c | 45 +++++++++++++++++++++++
>  security/integrity/ima/ima_template_lib.h |  4 ++
>  4 files changed, 55 insertions(+)
> 
> diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
> index 9f3e86ab028a..bf8ce4cf5878 100644
> --- a/Documentation/security/IMA-templates.rst
> +++ b/Documentation/security/IMA-templates.rst
> @@ -75,6 +75,8 @@ descriptors by adding their identifier to the format string
>   - 'modsig' the appended file signature;
>   - 'buf': the buffer data that was used to generate the hash without size limitations;
>   - 'evmsig': the EVM portable signature;
> + - 'iuid': the inode UID;
> + - 'igid': the inode GID;
>  
>  
>  Below, there is the list of defined template descriptors:
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index 7a60848c04a5..a5ecd9e2581b 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -47,6 +47,10 @@ static const struct ima_template_field supported_fields[] = {
>  	 .field_show = ima_show_template_sig},
>  	{.field_id = "evmsig", .field_init = ima_eventevmsig_init,
>  	 .field_show = ima_show_template_sig},
> +	{.field_id = "iuid", .field_init = ima_eventinodeuid_init,
> +	 .field_show = ima_show_template_uint},
> +	{.field_id = "igid", .field_init = ima_eventinodegid_init,
> +	 .field_show = ima_show_template_uint},
>  };
>  
>  /*
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index f23296c33da1..87b40f391739 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -551,3 +551,48 @@ int ima_eventevmsig_init(struct ima_event_data *event_data,
>  	kfree(xattr_data);
>  	return rc;
>  }
> +
> +static int ima_eventinodedac_init_common(struct ima_event_data *event_data,
> +					 struct ima_field_data *field_data,
> +					 bool get_uid)
> +{
> +	unsigned int id;
> +
> +	if (!event_data->file)
> +		return 0;
> +
> +	if (get_uid)
> +		id = i_uid_read(file_inode(event_data->file));
> +	else
> +		id = i_gid_read(file_inode(event_data->file));
> +
> +	if (ima_canonical_fmt) {
> +		if (sizeof(id) == sizeof(u16))
> +			id = cpu_to_le16(id);
> +		else
> +			id = cpu_to_le32(id);
> +	}
> +
> +	return ima_write_template_field_data((void *)&id, sizeof(id),
> +					     DATA_FMT_UINT, field_data);
> +}
> +
> +/*
> + *  ima_eventinodeuid_init - include the inode UID as part of the template
> + *  data
> + */
> +int ima_eventinodeuid_init(struct ima_event_data *event_data,
> +			   struct ima_field_data *field_data)
> +{
> +	return ima_eventinodedac_init_common(event_data, field_data, true);
> +}
> +
> +/*
> + *  ima_eventinodegid_init - include the inode GID as part of the template
> + *  data
> + */
> +int ima_eventinodegid_init(struct ima_event_data *event_data,
> +			   struct ima_field_data *field_data)
> +{
> +	return ima_eventinodedac_init_common(event_data, field_data, false);
> +}
> diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
> index 54b67c80b315..b0aaf109f386 100644
> --- a/security/integrity/ima/ima_template_lib.h
> +++ b/security/integrity/ima/ima_template_lib.h
> @@ -50,4 +50,8 @@ int ima_eventmodsig_init(struct ima_event_data *event_data,
>  			 struct ima_field_data *field_data);
>  int ima_eventevmsig_init(struct ima_event_data *event_data,
>  			 struct ima_field_data *field_data);
> +int ima_eventinodeuid_init(struct ima_event_data *event_data,
> +			   struct ima_field_data *field_data);
> +int ima_eventinodegid_init(struct ima_event_data *event_data,
> +			   struct ima_field_data *field_data);
>  #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
> -- 
> 2.25.1
> 

  reply	other threads:[~2021-05-28  8:25 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-28  7:38 [PATCH v2 0/7] ima: Add template fields to verify EVM portable signatures Roberto Sassu
2021-05-28  7:38 ` [PATCH v2 1/7] ima: Add ima_show_template_uint() template library function Roberto Sassu
2021-05-28  7:38 ` [PATCH v2 2/7] ima: Define new template fields iuid and igid Roberto Sassu
2021-05-28  8:25   ` Christian Brauner [this message]
2021-05-28  7:38 ` [PATCH v2 3/7] ima: Define new template field imode Roberto Sassu
2021-05-28  7:38 ` [PATCH v2 4/7] evm: Verify portable signatures against all protected xattrs Roberto Sassu
2021-05-28  7:38 ` [PATCH v2 5/7] ima: Define new template fields xattrnames, xattrlengths and xattrvalues Roberto Sassu
2021-06-01  8:23   ` [RESEND][PATCH " Roberto Sassu
2021-06-01 16:10     ` Mimi Zohar
2021-05-28  7:38 ` [PATCH v2 6/7] ima: Define new template evm-sig Roberto Sassu
2021-06-03 12:44   ` Mimi Zohar
2021-06-03 13:17     ` [RESEND][PATCH " Roberto Sassu
2021-06-03 14:30       ` Mimi Zohar
2021-05-28  7:38 ` [PATCH v2 7/7] evm: Don't return an error in evm_write_xattrs() if audit is not enabled Roberto Sassu
2021-05-31 15:58 ` [PATCH v2 0/7] ima: Add template fields to verify EVM portable signatures Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210528082508.lqolb3r2oepf3god@wittgenstein \
    --to=christian.brauner@ubuntu.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    --cc=roberto.sassu@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).