From: <krzysztof.struczynski@huawei.com>
To: <linux-integrity@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<containers@lists.linux-foundation.org>,
<linux-security-module@vger.kernel.org>
Cc: <zohar@linux.ibm.com>, <stefanb@linux.vnet.ibm.com>,
<sunyuqiong1988@gmail.com>, <mkayaalp@cs.binghamton.edu>,
<dmitry.kasatkin@gmail.com>, <serge@hallyn.com>,
<jmorris@namei.org>, <christian@brauner.io>,
<silviu.vlasceanu@huawei.com>, <roberto.sassu@huawei.com>,
Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
Subject: [RFC PATCH 22/30] ima: Remap IDs of subject based rules if necessary
Date: Tue, 18 Aug 2020 17:42:22 +0200 [thread overview]
Message-ID: <20200818154230.14016-13-krzysztof.struczynski@huawei.com> (raw)
In-Reply-To: <20200818154230.14016-1-krzysztof.struczynski@huawei.com>
From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
If subject based rule is added to the policy before the user namespace
uid mapping is defined, ID has to be recalculated.
It can happen if the new user namespace is created alongside the new
ima namespace. The default policy rules are loaded when the first
process is born into the new ima namespace. In that case, user has no
chance to define the mapping. It can also happen for the custom policy
rules loaded from within the new ima namespace, before the mapping is
created.
Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
---
security/integrity/ima/ima_policy.c | 83 ++++++++++++++++++++++++-----
1 file changed, 70 insertions(+), 13 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d4774eab6a98..bc1a4bb10bd0 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -18,6 +18,7 @@
#include <linux/genhd.h>
#include <linux/seq_file.h>
#include <linux/ima.h>
+#include <linux/user_namespace.h>
#include "ima.h"
@@ -78,6 +79,10 @@ struct ima_rule_entry {
char *fsname;
char *keyrings; /* Measure keys added to these keyrings */
struct ima_template_desc *template;
+ bool remap_uid; /* IDs of all subject oriented rules, added before the
+ * user namespace mapping is defined,
+ * have to be remapped.
+ */
};
/*
@@ -484,6 +489,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
const char *keyring)
{
int i;
+ kuid_t remapped_kuid;
+ struct ima_namespace *current_ima_ns = get_current_ns();
if (func == KEY_CHECK) {
return (rule->flags & IMA_FUNC) && (rule->func == func) &&
@@ -507,21 +514,45 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_FSUUID) &&
!uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
return false;
- if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
- return false;
+ if (rule->flags & IMA_UID) {
+ if (rule->remap_uid) {
+ remapped_kuid = make_kuid(current_ima_ns->user_ns,
+ __kuid_val(rule->uid));
+ if (!uid_valid(remapped_kuid))
+ return false;
+ } else
+ remapped_kuid = rule->uid;
+ if (!rule->uid_op(cred->uid, remapped_kuid))
+ return false;
+ }
if (rule->flags & IMA_EUID) {
+ if (rule->remap_uid) {
+ remapped_kuid = make_kuid(current_ima_ns->user_ns,
+ __kuid_val(rule->uid));
+ if (!uid_valid(remapped_kuid))
+ return false;
+ } else
+ remapped_kuid = rule->uid;
if (has_capability_noaudit(current, CAP_SETUID)) {
- if (!rule->uid_op(cred->euid, rule->uid)
- && !rule->uid_op(cred->suid, rule->uid)
- && !rule->uid_op(cred->uid, rule->uid))
+ if (!rule->uid_op(cred->euid, remapped_kuid)
+ && !rule->uid_op(cred->suid, remapped_kuid)
+ && !rule->uid_op(cred->uid, remapped_kuid))
return false;
- } else if (!rule->uid_op(cred->euid, rule->uid))
+ } else if (!rule->uid_op(cred->euid, remapped_kuid))
return false;
}
- if ((rule->flags & IMA_FOWNER) &&
- !rule->fowner_op(inode->i_uid, rule->fowner))
- return false;
+ if (rule->flags & IMA_FOWNER) {
+ if (rule->remap_uid) {
+ remapped_kuid = make_kuid(current_ima_ns->user_ns,
+ __kuid_val(rule->fowner));
+ if (!uid_valid(remapped_kuid))
+ return false;
+ } else
+ remapped_kuid = rule->fowner;
+ if (!rule->fowner_op(inode->i_uid, remapped_kuid))
+ return false;
+ }
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid;
@@ -701,6 +732,9 @@ static void add_rules(struct ima_namespace *ima_ns,
for (i = 0; i < count; i++) {
struct ima_rule_entry *entry;
+ bool set_uidmap;
+
+ set_uidmap = userns_set_uidmap(ima_ns->user_ns);
if (policy_rule & IMA_DEFAULT_POLICY) {
entry = &entries[i];
@@ -709,6 +743,9 @@ static void add_rules(struct ima_namespace *ima_ns,
GFP_KERNEL);
if (!entry)
continue;
+
+ if (!set_uidmap)
+ entry->remap_uid = true;
}
list_add_tail(&entry->list,
@@ -721,6 +758,9 @@ static void add_rules(struct ima_namespace *ima_ns,
if (!entry)
continue;
+ if (ima_ns != &init_ima_ns && !set_uidmap)
+ entry->remap_uid = true;
+
list_add_tail(&entry->list,
&ima_ns->policy_data->ima_policy_rules);
}
@@ -1165,6 +1205,10 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
AUDIT_INTEGRITY_POLICY_RULE);
+ if ((ima_ns != &init_ima_ns) &&
+ (!userns_set_uidmap(ima_ns->user_ns)))
+ entry->remap_uid = true;
+
entry->uid = INVALID_UID;
entry->fowner = INVALID_UID;
entry->uid_op = &uid_eq;
@@ -1396,8 +1440,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
result = kstrtoul(args[0].from, 10, &lnum);
if (!result) {
- entry->uid = make_kuid(current_user_ns(),
- (uid_t) lnum);
+ if (!entry->remap_uid)
+ entry->uid =
+ make_kuid(current_user_ns(),
+ (uid_t) lnum);
+ else
+ entry->uid = KUIDT_INIT((uid_t) lnum);
+
if (!uid_valid(entry->uid) ||
(uid_t)lnum != lnum)
result = -EINVAL;
@@ -1424,8 +1473,16 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry,
result = kstrtoul(args[0].from, 10, &lnum);
if (!result) {
- entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
- if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
+ if (!entry->remap_uid)
+ entry->fowner =
+ make_kuid(current_user_ns(),
+ (uid_t) lnum);
+ else
+ entry->fowner =
+ KUIDT_INIT((uid_t) lnum);
+
+ if (!uid_valid(entry->fowner) ||
+ (((uid_t)lnum) != lnum))
result = -EINVAL;
else
entry->flags |= IMA_FOWNER;
--
2.20.1
next prev parent reply other threads:[~2020-08-18 15:58 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 15:42 [RFC PATCH 10/30] ima: Add ima namespace ID to the ima ML related structures krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 11/30] ima: Keep track of the measurment list per ima namespace krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 12/30] ima: Check ima namespace ID during digest entry lookup krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 13/30] ima: Add a new ima template that includes namespace ID krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 14/30] ima: Add per namespace view of the measurement list krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 15/30] ima: Add a reader counter to the integrity inode data krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 16/30] ima: Extend permissions to the ima securityfs entries krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 17/30] ima: Add the violation counter to the namespace krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 18/30] ima: Change the owning user namespace of the ima namespace if necessary krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 19/30] ima: Configure the new ima namespace from securityfs krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 20/30] ima: Parse per ima namespace policy file krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 21/30] user namespace: Add function that checks if the UID map is defined krzysztof.struczynski
2020-08-18 15:42 ` krzysztof.struczynski [this message]
2020-08-18 15:42 ` [RFC PATCH 23/30] keys: Add domain tag to the keyring search criteria krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 24/30] keys: Include key domain tag in the iterative search krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 25/30] keys: Allow to set key domain tag separately from the key type krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 26/30] ima: Add key domain to the ima namespace krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 27/30] integrity: Add key domain tag to the search criteria krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 28/30] ima: Load per ima namespace x509 certificate krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 29/30] ima: Add dummy boot aggregate to per ima namespace measurement list krzysztof.struczynski
2020-08-18 15:42 ` [RFC PATCH 30/30] ima: Set ML template per ima namespace krzysztof.struczynski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200818154230.14016-13-krzysztof.struczynski@huawei.com \
--to=krzysztof.struczynski@huawei.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=sunyuqiong1988@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).