From: Christian Brauner <brauner@kernel.org>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy
Date: Wed, 26 Jan 2022 15:43:26 +0100 [thread overview]
Message-ID: <20220126144326.ci646xkm7mjsqwci@wittgenstein> (raw)
In-Reply-To: <20220125224645.79319-23-stefanb@linux.vnet.ibm.com>
On Tue, Jan 25, 2022 at 05:46:44PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> Show the uid and gid values relative to the user namespace that is
> currently active. The effect of this changes is that when one displays
> the policy from the user namespace that originally set the policy,
> the same uid and gid values are shown in the policy as those that were
> used when the policy was set.
"Make sure that the uid and gid values associated with the relevant
ima policy are resolved in the user namespace of the opener of the
policy file."
is more correct. Also note, that by virtue of enforcing that securityfs
files can only ever be opened if the opener's userns is the same or an
ancestor of the userns the securityfs instance is mounted in we are
guaranteed that the uid and gid can be resolved. That's another way of
saying technically *_munged() isn't necessary but it is more correct
since we're crossing the user-kernel boundary.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> ---
> v9:
> - use seq_user_ns and from_k{g,u}id_munged()
> ---
> security/integrity/ima/ima_policy.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 47f2d1b5d156..151f418036ee 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -2002,6 +2002,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
>
> int ima_policy_show(struct seq_file *m, void *v)
> {
> + struct user_namespace *user_ns = seq_user_ns(m);
> struct ima_rule_entry *entry = v;
> int i;
> char tbuf[64] = {0,};
> @@ -2087,7 +2088,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_UID) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kuid_munged(user_ns, entry->uid));
> if (entry->uid_op == &uid_gt)
> seq_printf(m, pt(Opt_uid_gt), tbuf);
> else if (entry->uid_op == &uid_lt)
> @@ -2098,7 +2100,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_EUID) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kuid_munged(user_ns, entry->uid));
> if (entry->uid_op == &uid_gt)
> seq_printf(m, pt(Opt_euid_gt), tbuf);
> else if (entry->uid_op == &uid_lt)
> @@ -2109,7 +2112,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_GID) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kgid_munged(user_ns, entry->gid));
> if (entry->gid_op == &gid_gt)
> seq_printf(m, pt(Opt_gid_gt), tbuf);
> else if (entry->gid_op == &gid_lt)
> @@ -2120,7 +2124,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_EGID) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kgid_munged(user_ns, entry->gid));
> if (entry->gid_op == &gid_gt)
> seq_printf(m, pt(Opt_egid_gt), tbuf);
> else if (entry->gid_op == &gid_lt)
> @@ -2131,7 +2136,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_FOWNER) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kuid_munged(user_ns, entry->fowner));
> if (entry->fowner_op == &uid_gt)
> seq_printf(m, pt(Opt_fowner_gt), tbuf);
> else if (entry->fowner_op == &uid_lt)
> @@ -2142,7 +2148,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
>
> if (entry->flags & IMA_FGROUP) {
> - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
> + snprintf(tbuf, sizeof(tbuf),
> + "%d", from_kgid_munged(user_ns, entry->fgroup));
> if (entry->fgroup_op == &gid_gt)
> seq_printf(m, pt(Opt_fgroup_gt), tbuf);
> else if (entry->fgroup_op == &gid_lt)
> --
> 2.31.1
>
>
next prev parent reply other threads:[~2022-01-26 14:43 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 22:46 [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-01-25 22:46 ` [PATCH v9 01/23] ima: Remove ima_policy file before directory Stefan Berger
2022-01-26 8:30 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels Stefan Berger
2022-01-26 8:38 ` Christian Brauner
2022-01-27 14:12 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 03/23] securityfs: rework dentry creation Stefan Berger
2022-01-25 22:46 ` [PATCH v9 04/23] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-01-27 16:53 ` Mimi Zohar
2022-01-31 22:28 ` Stefan Berger
2022-01-31 23:43 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 05/23] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-01-26 8:47 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 06/23] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-01-26 9:11 ` Christian Brauner
2022-01-27 19:42 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 07/23] ima: Move ima_htable " Stefan Berger
2022-01-26 9:16 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 08/23] ima: Move measurement list related variables " Stefan Berger
2022-01-26 9:21 ` Christian Brauner
2022-01-26 22:23 ` Stefan Berger
2022-01-27 21:48 ` Mimi Zohar
2022-01-28 14:06 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 09/23] ima: Move some IMA policy and filesystem " Stefan Berger
2022-01-26 9:23 ` Christian Brauner
2022-01-27 22:30 ` Mimi Zohar
2022-01-28 15:44 ` Stefan Berger
2022-01-28 16:03 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 10/23] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-01-26 9:40 ` Christian Brauner
2022-01-27 17:02 ` Stefan Berger
2022-01-28 3:13 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 11/23] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-01-26 13:05 ` Christian Brauner
2022-01-26 21:54 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 12/23] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-01-26 13:43 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 13/23] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-01-26 13:44 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 14/23] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-01-26 14:46 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 15/23] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-01-26 12:39 ` Christian Brauner
2022-01-26 22:05 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 16/23] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-01-28 14:02 ` Mimi Zohar
2022-01-31 18:56 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 17/23] ima: Add functions for creating and " Stefan Berger
2022-01-26 13:56 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 18/23] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-01-25 22:46 ` [PATCH v9 19/23] ima: Namespace audit status flags Stefan Berger
2022-01-25 22:46 ` [PATCH v9 20/23] ima: Setup securityfs for IMA namespace Stefan Berger
2022-01-26 14:03 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 21/23] ima: Introduce securityfs file to activate an " Stefan Berger
2022-01-26 14:31 ` Christian Brauner
2022-01-27 15:24 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-01-26 14:43 ` Christian Brauner [this message]
2022-01-26 14:43 ` Christian Brauner
2022-01-26 23:13 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 23/23] ima: Enable IMA namespaces Stefan Berger
2022-01-26 14:57 ` Christian Brauner
2022-01-26 13:19 ` [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2022-01-28 18:34 ` Stefan Berger
2022-01-26 16:52 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220126144326.ci646xkm7mjsqwci@wittgenstein \
--to=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).