linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ima: Support euid keyword for buffer measurement
@ 2021-07-05 11:56 Roberto Sassu
  2021-07-06 19:29 ` Lakshmi Ramasubramanian
  0 siblings, 1 reply; 4+ messages in thread
From: Roberto Sassu @ 2021-07-05 11:56 UTC (permalink / raw)
  To: zohar
  Cc: tusharsu, nramas, linux-integrity, linux-security-module,
	linux-kernel, Roberto Sassu

This patch makes the 'euid' keyword available for buffer measurement rules,
in the same way as for other rules. Currently, there is only support for
the 'uid' keyword.

With this change, buffer measurement (or non-measurement) can depend also
on the process effective UID.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/ima/ima_policy.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fd5d46e511f1..fdaa030fb04b 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
 	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
 		return false;
 
+	if (rule->flags & IMA_EUID) {
+		if (has_capability_noaudit(current, CAP_SETUID)) {
+			if (!rule->uid_op(cred->euid, rule->uid)
+			    && !rule->uid_op(cred->suid, rule->uid)
+			    && !rule->uid_op(cred->uid, rule->uid))
+				return false;
+		} else if (!rule->uid_op(cred->euid, rule->uid))
+			return false;
+	}
+
 	switch (rule->func) {
 	case KEY_CHECK:
 		if (!rule->keyrings)
@@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		if (entry->action & ~(MEASURE | DONT_MEASURE))
 			return false;
 
-		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
+		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR |
 				     IMA_LABEL))
 			return false;
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Support euid keyword for buffer measurement
  2021-07-05 11:56 [PATCH] ima: Support euid keyword for buffer measurement Roberto Sassu
@ 2021-07-06 19:29 ` Lakshmi Ramasubramanian
  2021-07-07  7:15   ` Roberto Sassu
  0 siblings, 1 reply; 4+ messages in thread
From: Lakshmi Ramasubramanian @ 2021-07-06 19:29 UTC (permalink / raw)
  To: Roberto Sassu, zohar
  Cc: tusharsu, linux-integrity, linux-security-module, linux-kernel

On 7/5/2021 4:56 AM, Roberto Sassu wrote:

Hi Roberto,

> This patch makes the 'euid' keyword available for buffer measurement rules,
> in the same way as for other rules. Currently, there is only support for
> the 'uid' keyword.
> 
> With this change, buffer measurement (or non-measurement) can depend also
> on the process effective UID.

Who (kernel component) will be using this?

Maybe you could make this change as part of the patch set in which the 
above "euid" support will be used.

thanks,
  -lakshmi

> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   security/integrity/ima/ima_policy.c | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index fd5d46e511f1..fdaa030fb04b 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
>   	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
>   		return false;
>   
> +	if (rule->flags & IMA_EUID) {
> +		if (has_capability_noaudit(current, CAP_SETUID)) {
> +			if (!rule->uid_op(cred->euid, rule->uid)
> +			    && !rule->uid_op(cred->suid, rule->uid)
> +			    && !rule->uid_op(cred->uid, rule->uid))
> +				return false;
> +		} else if (!rule->uid_op(cred->euid, rule->uid))
> +			return false;
> +	}
> +
>   	switch (rule->func) {
>   	case KEY_CHECK:
>   		if (!rule->keyrings)
> @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>   		if (entry->action & ~(MEASURE | DONT_MEASURE))
>   			return false;
>   
> -		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> +		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR |
>   				     IMA_LABEL))
>   			return false;
>   
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: [PATCH] ima: Support euid keyword for buffer measurement
  2021-07-06 19:29 ` Lakshmi Ramasubramanian
@ 2021-07-07  7:15   ` Roberto Sassu
  2021-07-19 21:30     ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Roberto Sassu @ 2021-07-07  7:15 UTC (permalink / raw)
  To: Lakshmi Ramasubramanian, zohar
  Cc: tusharsu, linux-integrity, linux-security-module, linux-kernel

> From: Lakshmi Ramasubramanian [mailto:nramas@linux.microsoft.com]
> Sent: Tuesday, July 6, 2021 9:30 PM
> On 7/5/2021 4:56 AM, Roberto Sassu wrote:
> 
> Hi Roberto,
> 
> > This patch makes the 'euid' keyword available for buffer measurement rules,
> > in the same way as for other rules. Currently, there is only support for
> > the 'uid' keyword.
> >
> > With this change, buffer measurement (or non-measurement) can depend
> also
> > on the process effective UID.
> 
> Who (kernel component) will be using this?

Hi Lakshmi

I'm using it in a (not yet submitted) test for digest lists.

It is in a dont_measure rule to try to unload a digest list
without measurement and to check that this is not allowed
if the digest list was measured at addition time (to ensure
completeness of information).

> Maybe you could make this change as part of the patch set in which the
> above "euid" support will be used.

I wanted to send the digest lists patch set without anything
else. I could resend the patch as part of that patch set if it is
preferred.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> thanks,
>   -lakshmi
> 
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > ---
> >   security/integrity/ima/ima_policy.c | 12 +++++++++++-
> >   1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> > index fd5d46e511f1..fdaa030fb04b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct
> ima_rule_entry *rule,
> >   	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> >   		return false;
> >
> > +	if (rule->flags & IMA_EUID) {
> > +		if (has_capability_noaudit(current, CAP_SETUID)) {
> > +			if (!rule->uid_op(cred->euid, rule->uid)
> > +			    && !rule->uid_op(cred->suid, rule->uid)
> > +			    && !rule->uid_op(cred->uid, rule->uid))
> > +				return false;
> > +		} else if (!rule->uid_op(cred->euid, rule->uid))
> > +			return false;
> > +	}
> > +
> >   	switch (rule->func) {
> >   	case KEY_CHECK:
> >   		if (!rule->keyrings)
> > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct
> ima_rule_entry *entry)
> >   		if (entry->action & ~(MEASURE | DONT_MEASURE))
> >   			return false;
> >
> > -		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> > +		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |
> IMA_PCR |
> >   				     IMA_LABEL))
> >   			return false;
> >
> >

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Support euid keyword for buffer measurement
  2021-07-07  7:15   ` Roberto Sassu
@ 2021-07-19 21:30     ` Mimi Zohar
  0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2021-07-19 21:30 UTC (permalink / raw)
  To: Roberto Sassu, Lakshmi Ramasubramanian
  Cc: tusharsu, linux-integrity, linux-security-module, linux-kernel

Hi Roberto,

On Wed, 2021-07-07 at 07:15 +0000, Roberto Sassu wrote:
> > From: Lakshmi Ramasubramanian [mailto:nramas@linux.microsoft.com]
> > Sent: Tuesday, July 6, 2021 9:30 PM
> > On 7/5/2021 4:56 AM, Roberto Sassu wrote:
> > 
> > Hi Roberto,
> > 
> > > This patch makes the 'euid' keyword available for buffer measurement rules,
> > > in the same way as for other rules. Currently, there is only support for
> > > the 'uid' keyword.
> > >
> > > With this change, buffer measurement (or non-measurement) can depend
> > also
> > > on the process effective UID.
> > 
> > Who (kernel component) will be using this?
> 
> Hi Lakshmi
> 
> I'm using it in a (not yet submitted) test for digest lists.
> 
> It is in a dont_measure rule to try to unload a digest list
> without measurement and to check that this is not allowed
> if the digest list was measured at addition time (to ensure
> completeness of information).
> 
> > Maybe you could make this change as part of the patch set in which the
> > above "euid" support will be used.
> 
> I wanted to send the digest lists patch set without anything
> else. I could resend the patch as part of that patch set if it is
> preferred.

Unless there is another usecase, please keep it with the digest list
tests patch set.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

thanks,

Mimi


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-07-19 23:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-05 11:56 [PATCH] ima: Support euid keyword for buffer measurement Roberto Sassu
2021-07-06 19:29 ` Lakshmi Ramasubramanian
2021-07-07  7:15   ` Roberto Sassu
2021-07-19 21:30     ` Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).