Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5494877pxb; Wed, 26 Jan 2022 13:22:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJwaiDFn+vwwkecw/LwR0U/Vvyy6TM5W2xRvtbHq6TS/EIPPBXMuShcT99dHdan7vPuMZyS1 X-Received: by 2002:a63:550f:: with SMTP id j15mr599411pgb.40.1643232172883; Wed, 26 Jan 2022 13:22:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643232172; cv=none; d=google.com; s=arc-20160816; b=eVGVgK1FQoC4jPxgIv2C+4kJBTATy2e3zFF2bgSZ5hPYhfyjv4fsw5KdKN6b5055q8 XchjqA0T6X4FOsvxy5d6GJabdbObkhNR4/mul6n2XEZN8B5cGtSbQ4CcmCrVP3QwMSyp OKvsEr0eoLmRzEyNxgfBiBMhC6jKsYUbHhDPjSyrk6bLXITAILRTCJT2Xpn1eujmDrJ8 eMiGbQz1Bp1+Y/gLvZGXCz2gKPsfkeBpdFG1OUE1nUkUuOrhWYl1DyJoicvSkocW/xFl 4sNoWyjMAyFW75FEoKyBknyKjsL+IOkiqbQkwat61oir6TzrIFTWW6Nmfo6VqPN4o1f8 gpYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+Xtui1HoqIMDIvw4Aq/WaCcXmNZXpu5Ow9CIPysBfqw=; b=PL0fIdogfZlx3LICq1+EsZ/RXlJkBYLcWHDr12Epj/HIfcGUGDVQKd/gKatsmfsILq 5GNgjTzdRHebuA5sW0F8sY9eabQDELGrzBlfnLPrjFXZyObZSKLklEQ+YrfZUvfOq2YQ ChhhVkbWot04sD5ZD+Ke9zDyaxUAQhKWEDqK/oPk7K6k1cxhjwoxRORtp9GCGT5xCoX4 LId+xQBjdFz1hzKO/n7822xN52t7pmZyuKYC1eu+sBUt/Np/u3gH+g9jb/sED5cVH1qu 0MJgfCts70+038mwd6/aCjAnrMptpfdxs9xFBEmPFtCNHR+Djrdny+a6x2Zqqm6XAY2l NdNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Qx9WNWys; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 19si4085091pjh.68.2022.01.26.13.22.40; Wed, 26 Jan 2022 13:22:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Qx9WNWys; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240873AbiAZNnq (ORCPT + 99 others); Wed, 26 Jan 2022 08:43:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240712AbiAZNnp (ORCPT ); Wed, 26 Jan 2022 08:43:45 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8923C06161C; Wed, 26 Jan 2022 05:43:45 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 49DA56152F; Wed, 26 Jan 2022 13:43:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85E67C340E3; Wed, 26 Jan 2022 13:43:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643204624; bh=yMFvQqxwqDIuVp2GIpZdDIZGBM7hvQhOlI6IOZPBOgE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Qx9WNWys+iiLYrvUd4CWOuHHnhQvnpVRXmVi2MI/CITSzaAzGOTRze+m6CfEoShf/ hTbDRkepUg2XL2mpNrXu8iXnjqxB2Du40xy1r1uuVa+jaP51K0tVTyokxsgneACiqw jxQ7IwM42MhvSrlogC2ZOYBAM7BZhdWNWHZ8PDWvPVDCfGXwJcry7+rzTUqnr5wCe+ txrT1d0XTdYlduALq9rE0litfBoLodTHICmuSo8uzuoMLzLV03qMcXZNNEvBYmTo2/ uUxXuuQP0BE+/aQLrgS9KokhlCf9rbYUKHQcjuV8yB/8Spm88i5Juw3HmOk9hArGSl e62YCoQC2oZsQ== Date: Wed, 26 Jan 2022 14:43:36 +0100 From: Christian Brauner To: Stefan Berger Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, Stefan Berger , Denis Semakin Subject: Re: [PATCH v9 12/23] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Message-ID: <20220126134336.fqaqwzed3cpaz2vi@wittgenstein> References: <20220125224645.79319-1-stefanb@linux.vnet.ibm.com> <20220125224645.79319-13-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220125224645.79319-13-stefanb@linux.vnet.ibm.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 25, 2022 at 05:46:34PM -0500, Stefan Berger wrote: > From: Stefan Berger > > Define mac_admin_ns_capable() as a wrapper for the combined ns_capable() > checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return > true on the check if either capability or both are available. > > Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will allow > an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has > less privileges than CAP_SYS_ADMIN. > > Signed-off-by: Denis Semakin > Signed-off-by: Stefan Berger > --- It's unfortunate that the securityfs namespacing patch with FS_USERNS_MOUNT set comes before this patch. The check below with ima_open_policy() operates on an unprivileged userns if securityfs is mounted in there. But the ima namespace is the hardcoded as the initial ima namespace. I'd rather have the securityfs namespacing patch moved very late in the series. Even if might not yet possible to open an ima policy in a non-init userns at this point in the patch series, it still is confusing in terms of ordering. Especially when considering this were to land in an upstream tree and one would later in a few years have to read through the history of this code again. > static int ima_open_policy(struct inode *inode, struct file *filp) > { > +#ifdef CONFIG_IMA_READ_POLICY > + struct user_namespace *user_ns = ima_user_ns_from_file(filp); > +#endif > include/linux/capability.h | 6 ++++++ > security/integrity/ima/ima.h | 6 ++++++ > security/integrity/ima/ima_fs.c | 5 ++++- > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index 65efb74c3585..991579178f32 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) > ns_capable(ns, CAP_SYS_ADMIN); > } > > +static inline bool mac_admin_ns_capable(struct user_namespace *ns) > +{ > + return ns_capable(ns, CAP_MAC_ADMIN) || > + ns_capable(ns, CAP_SYS_ADMIN); > +} > + > /* audit system wants to get cap info from files as well */ > int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, > const struct dentry *dentry, > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index fb6bd054d899..0057b1fd6c18 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -487,4 +487,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > #define POLICY_FILE_FLAGS S_IWUSR > #endif /* CONFIG_IMA_READ_POLICY */ > > +static inline > +struct user_namespace *ima_user_ns_from_file(const struct file *filp) > +{ > + return file_inode(filp)->i_sb->s_user_ns; > +} > + > #endif /* __LINUX_IMA_H */ > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 3afb7a74d2cf..9162f06d182f 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = { > */ > static int ima_open_policy(struct inode *inode, struct file *filp) > { > +#ifdef CONFIG_IMA_READ_POLICY > + struct user_namespace *user_ns = ima_user_ns_from_file(filp); > +#endif > struct ima_namespace *ns = &init_ima_ns; > > if (!(filp->f_flags & O_WRONLY)) { > @@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) > #else > if ((filp->f_flags & O_ACCMODE) != O_RDONLY) > return -EACCES; > - if (!capable(CAP_SYS_ADMIN)) > + if (!mac_admin_ns_capable(user_ns)) > return -EPERM; > return seq_open(filp, &ima_policy_seqops); > #endif > -- > 2.31.1 > >