From: Stephen Rothwell <sfr@canb.auug.org.au>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-next@vger.kernel.org, linux-kernel@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
James Morris <jmorris@namei.org>,
Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Subject: linux-next: manual merge of the userns tree with the security tree
Date: Mon, 24 Sep 2012 21:52:22 +1000 [thread overview]
Message-ID: <20120924215222.8933c5557b17239552f0b1d1@canb.auug.org.au> (raw)
[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]
Hi Eric,
Today's linux-next merge of the userns tree got a conflict in
security/integrity/ima/ima_policy.c between commit 07f6a79415d7 ("ima:
add appraise action keywords and default rules") from the security tree
and commit 8b94eea4bfb8 ("userns: Add user namespace support to IMA") from
the userns tree.
I fixed it up (see below) but it probably needs more and can carry the
fix as necessary (no action is required).
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
diff --cc security/integrity/ima/ima_policy.c
index cda9031,c84df05..0000000
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@@ -45,8 -39,7 +45,8 @@@ struct ima_rule_entry
enum ima_hooks func;
int mask;
unsigned long fsmagic;
- uid_t uid;
+ kuid_t uid;
+ uid_t fowner;
struct {
void *rule; /* LSM file metadata specific */
int type; /* audit type */
@@@ -141,10 -112,8 +141,10 @@@ static bool ima_match_rules(struct ima_
if ((rule->flags & IMA_FSMAGIC)
&& rule->fsmagic != inode->i_sb->s_magic)
return false;
- if ((rule->flags & IMA_UID) && rule->uid != cred->uid)
+ if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
return false;
+ if ((rule->flags & IMA_FOWNER) && rule->fowner != inode->i_uid)
+ return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid, sid;
@@@ -336,8 -277,7 +336,8 @@@ static int ima_parse_rule(char *rule, s
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
- entry->uid = -1;
+ entry->uid = INVALID_UID;
+ entry->fowner = -1;
entry->action = UNKNOWN;
while ((p = strsep(&rule, " \t")) != NULL) {
substring_t args[MAX_OPT_ARGS];
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
next reply other threads:[~2012-09-24 11:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-24 11:52 Stephen Rothwell [this message]
2012-09-24 15:31 ` linux-next: manual merge of the userns tree with the security tree Eric W. Biederman
2012-09-25 0:46 ` Stephen Rothwell
-- strict thread matches above, loose matches on Subject: below --
2012-09-24 11:41 Stephen Rothwell
2012-09-24 12:17 ` Stephen Rothwell
2012-09-24 15:36 ` Peter Moody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120924215222.8933c5557b17239552f0b1d1@canb.auug.org.au \
--to=sfr@canb.auug.org.au \
--cc=dmitry.kasatkin@intel.com \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).