Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3190365pxa; Tue, 18 Aug 2020 08:48:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzF1THXka3PtKea5HE7Wc/mt/9GqMGU1MpOvT6nARVDT1x2G//ANZ9fMw7PEfSzdPHL5r9X X-Received: by 2002:a17:906:364e:: with SMTP id r14mr19786352ejb.295.1597765715452; Tue, 18 Aug 2020 08:48:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597765715; cv=none; d=google.com; s=arc-20160816; b=NJM6LHiKsm8h/DXOV7saifBmlEkktUP0aPdzi2qkDKShEAUK0oopbbokmcqZDrxhvr 3lp3kzFcMEwD1Q+TCPZw1N7bm/RJtZixoXdjiPhDTILyezIGx13qDCgDx2fev5Lg8f9S Dty/pK116BbHMABQ8ojXqUhgEcB3t6ddP+j+bk+uhhr1o4DA5ALLeEmeD1eTWgRxuzXk lNrJ3bV6Iah+e8ekDYM/Xrd+Rh7o76THUrfj8SA7maE6OtkJ5o7K1o+3x39yp68fq0Cp +opyikpFz6B+2GRTSLaF1lqUDQW0hTqHzweyy2EsqhEFZaNp5ZWDlvQIr5/kbxOeiLjT JtPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=txiUOvM1/E4UHIBWdjqBXgJ65EFxaAEedJ4iRwA4zQM=; b=dnL/LOuB8WSL5w2ne1aYagZ3JEVJdaswDLM4gnFDWknJxSaiIMMc+sk0POge4uRKl5 RgL4+ZBMmLkp2BuBz4rgyafiL9wBZ0O8+UvPXyFcZpZi3+RSd+n+FbrnDQbnSpNJbPuj X7yJVVnF833SJh75KM4Ou2NpHcD2+YjzrQe50YWBDMqMucSBML218c/1jtutP9KEeCz4 RZHgHZX5O1jrm81onKmWKJw80mRbHxEoQUU166TI7vTyy1sRw0gQ2zsQBQORVod/6flJ vsghvwxUSLMabrnOfwpYvK5xS+OaMz3gCWTCh6DBI+QX7w2u0QSAZfmue2qugwsim/kj 8ekg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s15si13211365ejc.7.2020.08.18.08.48.11; Tue, 18 Aug 2020 08:48:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728092AbgHRPql (ORCPT + 99 others); Tue, 18 Aug 2020 11:46:41 -0400 Received: from lhrrgout.huawei.com ([185.176.76.210]:2641 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726834AbgHRPpo (ORCPT ); Tue, 18 Aug 2020 11:45:44 -0400 Received: from lhreml722-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id A69F3321DE040DAE081E; Tue, 18 Aug 2020 16:45:42 +0100 (IST) Received: from kstruczy-linux-box (10.204.65.138) by lhreml722-chm.china.huawei.com (10.201.108.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 18 Aug 2020 16:45:41 +0100 Received: by kstruczy-linux-box (sSMTP sendmail emulation); Tue, 18 Aug 2020 17:45:43 +0200 From: To: , , , CC: , , , , , , , , , , Krzysztof Struczynski Subject: [RFC PATCH 18/30] ima: Change the owning user namespace of the ima namespace if necessary Date: Tue, 18 Aug 2020 17:42:18 +0200 Message-ID: <20200818154230.14016-9-krzysztof.struczynski@huawei.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200818154230.14016-1-krzysztof.struczynski@huawei.com> References: <20200818154230.14016-1-krzysztof.struczynski@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.204.65.138] X-ClientProxiedBy: fraeml707-chm.china.huawei.com (10.206.15.35) To lhreml722-chm.china.huawei.com (10.201.108.73) X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Krzysztof Struczynski It's possible that the user first unshares the ima namespace and then creates a new user namespace using clone3(). In that case the owning user namespace is the newly created one, because it is associated with the first process in the new ima namespace. Signed-off-by: Krzysztof Struczynski --- include/linux/ima.h | 6 +++-- kernel/nsproxy.c | 2 +- security/integrity/ima/ima_ns.c | 42 +++++++++++++++++++++++++++------ 3 files changed, 40 insertions(+), 10 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 7eb7a008c5fe..4b5b832417b0 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -216,7 +216,8 @@ struct ima_namespace *copy_ima_ns(unsigned long flags, void free_ima_ns(struct kref *kref); -int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk); +int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk, + struct user_namespace *user_ns); static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns) { @@ -239,7 +240,8 @@ static inline struct ima_namespace *copy_ima_ns(unsigned long flags, } static inline int imans_on_fork(struct nsproxy *nsproxy, - struct task_struct *tsk) + struct task_struct *tsk, + struct user_namespace *user_ns) { return 0; } diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 791efffd7a03..4b1ecf405f11 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -204,7 +204,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) return ret; } - ret = imans_on_fork(new_ns, tsk); + ret = imans_on_fork(new_ns, tsk, user_ns); if (ret) { free_nsproxy(new_ns); return ret; diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c index 3012287b22d2..b8bfab39b55b 100644 --- a/security/integrity/ima/ima_ns.c +++ b/security/integrity/ima/ima_ns.c @@ -92,6 +92,24 @@ static void ima_set_ns_policy(struct ima_namespace *ima_ns, ima_init_ns_policy(ima_ns, &setup_data); } +static int ima_swap_user_ns(struct ima_namespace *ima_ns, + struct user_namespace *user_ns) +{ + struct ucounts *ucounts; + + dec_ima_namespaces(ima_ns->ucounts); + put_user_ns(ima_ns->user_ns); + + ucounts = inc_ima_namespaces(user_ns); + if (!ucounts) + return -ENOSPC; + + ima_ns->user_ns = get_user_ns(user_ns); + ima_ns->ucounts = ucounts; + + return 0; +} + /** * Clone a new ns copying an original ima namespace, setting refcount to 1 * @@ -337,23 +355,33 @@ static int imans_install(struct nsset *nsset, struct ns_common *new) return res; } -int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk) +int imans_on_fork(struct nsproxy *nsproxy, struct task_struct *tsk, + struct user_namespace *user_ns) { int res; - struct ns_common *nsc = &nsproxy->ima_ns_for_children->ns; - struct ima_namespace *ns = to_ima_ns(nsc); + struct ima_namespace *ima_ns = nsproxy->ima_ns_for_children; /* create_new_namespaces() already incremented the ref counter */ - if (nsproxy->ima_ns == nsproxy->ima_ns_for_children) + if (nsproxy->ima_ns == ima_ns) return 0; - res = imans_activate(ns); + /* It's possible that the user first unshares the IMA namespace and + * then creates a new user namespace on clone3(). In that case swap + * user namespace for the "current" one. + */ + if (ima_ns->user_ns != user_ns) { + res = ima_swap_user_ns(ima_ns, user_ns); + if (res) + return res; + } + + res = imans_activate(ima_ns); if (res) return res; - get_ima_ns(ns); + get_ima_ns(ima_ns); put_ima_ns(nsproxy->ima_ns); - nsproxy->ima_ns = ns; + nsproxy->ima_ns = ima_ns; return res; } -- 2.20.1