Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5084681pxb; Wed, 26 Jan 2022 04:33:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJz9yJzLM7sI33S5oVk0JIkg/xDFeyZbumzNsxI0Byb/b/xK8ALhqWvGKYEntevPUwQebo1G X-Received: by 2002:a05:6402:3719:: with SMTP id ek25mr24575156edb.184.1643200431688; Wed, 26 Jan 2022 04:33:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643200431; cv=none; d=google.com; s=arc-20160816; b=rwyl2dh+479C2L7D1gOILV/QIdOPaLcGJJ2LDxjKUugJXDA8Lp3I3tFhO5UwufT4ay Nt2AoaEJETMmxGDHC4U/FsB7wDcRNpvXHFjgGQsohPcT/b62kqW7fZgQygSmTVm83v98 yYQ/k1P7aW/7gOoXsfOMlCjgewugvQlrK1DHZXJ3G50ucSapBeanikL9DLEhzHIewr8c UX1OHFtdZaNfPse9K3JcghMR6p863oW1xINSkKSQun9yVtcbCyA+fqoBYm3sqTdSpWvp D72RQyuUdJg0OUiPAxPbVJCSaRdwQrDn8zCqkHc+D2JA7dpIVWeiIvd2JYEpyONu86Lk G9Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Ky/ABeLzJYYv8wAwevKOfcW2yogVuYyI5RvYcWCzMsQ=; b=vjh0un3HeHG5kSZiifr+AaKugLOs6vzAwA7PrEITijdGRHF14jHabngJDx8bV+Jiid nnPA5JfONor/LRyg3A6LhFMm0yNjlNwI2mqmVuG6EGmmyl+Gm0bA6tZ3O/mKDx+evCqD i+4hBUJ4jFJKrshcN7Ema7IBNnT/k4qi08eMhV1G1HDAuxyOsewREcM/891vvAGE2OY3 hy50rUMMzUxFNPL9NFGXi0RKzS6jQ886Lnc2yNsdDZxd+kXupBtqUSsdI/UhoqSXn5gR 5ba4iAbuPpvQwv0Foqkm8pz2hpRXSoO8Y6gL1bG740g4k57QxeiWyUReE0KMBeb3yW5t iJ5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=QAIG3PFZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id du21si3203067ejc.54.2022.01.26.04.33.11; Wed, 26 Jan 2022 04:33:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=QAIG3PFZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234733AbiAYWsu (ORCPT + 99 others); Tue, 25 Jan 2022 17:48:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:20510 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234227AbiAYWr3 (ORCPT ); Tue, 25 Jan 2022 17:47:29 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 20PMkL7B000430; Tue, 25 Jan 2022 22:47:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Ky/ABeLzJYYv8wAwevKOfcW2yogVuYyI5RvYcWCzMsQ=; b=QAIG3PFZNs81qW7UJtVqwo0w8VcVKz+8+vuQFbYUBEW2cSMv2ulTQWZuAa94H0HdKei9 NA5NKmnTNz8KghOzleB2HOT25ByTeXJ2yhZ9j6MRgikTx+XgvikvLsfAC80t3ZiIs8jc PupQQYjpWzPLFOxmY6Oe5Y+obcG6bCoOoBoSDEF1ijBJvLONF0XF3gbMnorrYtZmdWnw 7fpmyhV9bG8jNAkrHzAKSHIpgJhNeDEN9dKLJcHNV9DYL6Q6uPLhKzYCObsmJv93fd97 FeSt50R2BquohrIKFjxg72/p/8gyrdQnAwVx98x7PQBdZ95NsU/n/QrCp4E/ZUSIH4bC 6Q== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3dtt9wr0bm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jan 2022 22:47:04 +0000 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 20PMl4BK001736; Tue, 25 Jan 2022 22:47:04 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 3dtt9wr0b5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jan 2022 22:47:03 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 20PMhDWf008667; Tue, 25 Jan 2022 22:47:03 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma04dal.us.ibm.com with ESMTP id 3dr9japd6n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jan 2022 22:47:02 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 20PMkxbh30605640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 Jan 2022 22:46:59 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 843ADAC059; Tue, 25 Jan 2022 22:46:59 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7BF7AAC064; Tue, 25 Jan 2022 22:46:59 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 25 Jan 2022 22:46:59 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, Stefan Berger Subject: [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy Date: Tue, 25 Jan 2022 17:46:44 -0500 Message-Id: <20220125224645.79319-23-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220125224645.79319-1-stefanb@linux.vnet.ibm.com> References: <20220125224645.79319-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: av4MuksJ14vpA_sAQbEY6XWCga9no2bX X-Proofpoint-ORIG-GUID: DHDnJssSd0ua22jbabLTm0khJFQwexpB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-01-25_06,2022-01-25_02,2021-12-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 malwarescore=0 bulkscore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2201250135 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Stefan Berger Show the uid and gid values relative to the user namespace that is currently active. The effect of this changes is that when one displays the policy from the user namespace that originally set the policy, the same uid and gid values are shown in the policy as those that were used when the policy was set. Signed-off-by: Stefan Berger --- v9: - use seq_user_ns and from_k{g,u}id_munged() --- security/integrity/ima/ima_policy.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 47f2d1b5d156..151f418036ee 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -2002,6 +2002,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m, int ima_policy_show(struct seq_file *m, void *v) { + struct user_namespace *user_ns = seq_user_ns(m); struct ima_rule_entry *entry = v; int i; char tbuf[64] = {0,}; @@ -2087,7 +2088,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_UID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->uid)); if (entry->uid_op == &uid_gt) seq_printf(m, pt(Opt_uid_gt), tbuf); else if (entry->uid_op == &uid_lt) @@ -2098,7 +2100,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_EUID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->uid)); if (entry->uid_op == &uid_gt) seq_printf(m, pt(Opt_euid_gt), tbuf); else if (entry->uid_op == &uid_lt) @@ -2109,7 +2112,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_GID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->gid)); if (entry->gid_op == &gid_gt) seq_printf(m, pt(Opt_gid_gt), tbuf); else if (entry->gid_op == &gid_lt) @@ -2120,7 +2124,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_EGID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->gid)); if (entry->gid_op == &gid_gt) seq_printf(m, pt(Opt_egid_gt), tbuf); else if (entry->gid_op == &gid_lt) @@ -2131,7 +2136,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_FOWNER) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->fowner)); if (entry->fowner_op == &uid_gt) seq_printf(m, pt(Opt_fowner_gt), tbuf); else if (entry->fowner_op == &uid_lt) @@ -2142,7 +2148,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_FGROUP) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->fgroup)); if (entry->fgroup_op == &gid_gt) seq_printf(m, pt(Opt_fgroup_gt), tbuf); else if (entry->fgroup_op == &gid_lt) -- 2.31.1