This patch makes the 'euid' keyword available for buffer measurement rules,
in the same way as for other rules. Currently, there is only support for
the 'uid' keyword.
With this change, buffer measurement (or non-measurement) can depend also
on the process effective UID.
Signed-off-by: Roberto Sassu <[email protected]>
---
security/integrity/ima/ima_policy.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fd5d46e511f1..fdaa030fb04b 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
return false;
+ if (rule->flags & IMA_EUID) {
+ if (has_capability_noaudit(current, CAP_SETUID)) {
+ if (!rule->uid_op(cred->euid, rule->uid)
+ && !rule->uid_op(cred->suid, rule->uid)
+ && !rule->uid_op(cred->uid, rule->uid))
+ return false;
+ } else if (!rule->uid_op(cred->euid, rule->uid))
+ return false;
+ }
+
switch (rule->func) {
case KEY_CHECK:
if (!rule->keyrings)
@@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
if (entry->action & ~(MEASURE | DONT_MEASURE))
return false;
- if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
+ if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR |
IMA_LABEL))
return false;
--
2.25.1
On 7/5/2021 4:56 AM, Roberto Sassu wrote:
Hi Roberto,
> This patch makes the 'euid' keyword available for buffer measurement rules,
> in the same way as for other rules. Currently, there is only support for
> the 'uid' keyword.
>
> With this change, buffer measurement (or non-measurement) can depend also
> on the process effective UID.
Who (kernel component) will be using this?
Maybe you could make this change as part of the patch set in which the
above "euid" support will be used.
thanks,
-lakshmi
>
> Signed-off-by: Roberto Sassu <[email protected]>
> ---
> security/integrity/ima/ima_policy.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index fd5d46e511f1..fdaa030fb04b 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
> if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> return false;
>
> + if (rule->flags & IMA_EUID) {
> + if (has_capability_noaudit(current, CAP_SETUID)) {
> + if (!rule->uid_op(cred->euid, rule->uid)
> + && !rule->uid_op(cred->suid, rule->uid)
> + && !rule->uid_op(cred->uid, rule->uid))
> + return false;
> + } else if (!rule->uid_op(cred->euid, rule->uid))
> + return false;
> + }
> +
> switch (rule->func) {
> case KEY_CHECK:
> if (!rule->keyrings)
> @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> if (entry->action & ~(MEASURE | DONT_MEASURE))
> return false;
>
> - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | IMA_PCR |
> IMA_LABEL))
> return false;
>
>
> From: Lakshmi Ramasubramanian [mailto:[email protected]]
> Sent: Tuesday, July 6, 2021 9:30 PM
> On 7/5/2021 4:56 AM, Roberto Sassu wrote:
>
> Hi Roberto,
>
> > This patch makes the 'euid' keyword available for buffer measurement rules,
> > in the same way as for other rules. Currently, there is only support for
> > the 'uid' keyword.
> >
> > With this change, buffer measurement (or non-measurement) can depend
> also
> > on the process effective UID.
>
> Who (kernel component) will be using this?
Hi Lakshmi
I'm using it in a (not yet submitted) test for digest lists.
It is in a dont_measure rule to try to unload a digest list
without measurement and to check that this is not allowed
if the digest list was measured at addition time (to ensure
completeness of information).
> Maybe you could make this change as part of the patch set in which the
> above "euid" support will be used.
I wanted to send the digest lists patch set without anything
else. I could resend the patch as part of that patch set if it is
preferred.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> thanks,
> -lakshmi
>
> >
> > Signed-off-by: Roberto Sassu <[email protected]>
> > ---
> > security/integrity/ima/ima_policy.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> > index fd5d46e511f1..fdaa030fb04b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct
> ima_rule_entry *rule,
> > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> > return false;
> >
> > + if (rule->flags & IMA_EUID) {
> > + if (has_capability_noaudit(current, CAP_SETUID)) {
> > + if (!rule->uid_op(cred->euid, rule->uid)
> > + && !rule->uid_op(cred->suid, rule->uid)
> > + && !rule->uid_op(cred->uid, rule->uid))
> > + return false;
> > + } else if (!rule->uid_op(cred->euid, rule->uid))
> > + return false;
> > + }
> > +
> > switch (rule->func) {
> > case KEY_CHECK:
> > if (!rule->keyrings)
> > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct
> ima_rule_entry *entry)
> > if (entry->action & ~(MEASURE | DONT_MEASURE))
> > return false;
> >
> > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |
> IMA_PCR |
> > IMA_LABEL))
> > return false;
> >
> >
Hi Roberto,
On Wed, 2021-07-07 at 07:15 +0000, Roberto Sassu wrote:
> > From: Lakshmi Ramasubramanian [mailto:[email protected]]
> > Sent: Tuesday, July 6, 2021 9:30 PM
> > On 7/5/2021 4:56 AM, Roberto Sassu wrote:
> >
> > Hi Roberto,
> >
> > > This patch makes the 'euid' keyword available for buffer measurement rules,
> > > in the same way as for other rules. Currently, there is only support for
> > > the 'uid' keyword.
> > >
> > > With this change, buffer measurement (or non-measurement) can depend
> > also
> > > on the process effective UID.
> >
> > Who (kernel component) will be using this?
>
> Hi Lakshmi
>
> I'm using it in a (not yet submitted) test for digest lists.
>
> It is in a dont_measure rule to try to unload a digest list
> without measurement and to check that this is not allowed
> if the digest list was measured at addition time (to ensure
> completeness of information).
>
> > Maybe you could make this change as part of the patch set in which the
> > above "euid" support will be used.
>
> I wanted to send the digest lists patch set without anything
> else. I could resend the patch as part of that patch set if it is
> preferred.
Unless there is another usecase, please keep it with the digest list
tests patch set.
Reviewed-by: Mimi Zohar <[email protected]>
thanks,
Mimi