Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp962502pxb; Fri, 22 Apr 2022 15:25:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyotBdXk6x6zP3GXddR4MDiw5bWY7tx4UTVQC3LK60ZCktFfK5UAJ/6guU9N8R8sjuGus9H X-Received: by 2002:a05:6a02:18b:b0:399:365e:f09c with SMTP id bj11-20020a056a02018b00b00399365ef09cmr5822444pgb.238.1650666326860; Fri, 22 Apr 2022 15:25:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650666326; cv=none; d=google.com; s=arc-20160816; b=pxrE2iWgH48bt6DjERnDQdteflQ+KtR35QNhZ1uZY/dbNf93AzeoRVf1Bu80dXMJt9 C34X9xfE+rtLzjcuz4XrLtN8/v3LudC4E8SnvY0QB5nQ//JI4EyOFO9pfHfFknb9lpvj HO7VO3g+EJg0CLhPSS2Nf03x70DxGGAbutU19oTxtUvohSTIT7Tc6YKiZRDgNr6ZIO1b W51xa87ZFuq2iyddCZc4TisuVN56AIsJXaJnpeLSAlzhQqAApe6SDdBJmn5fB+d1Lxso JapZyWhbikkKyCCLcMzMltfEN3O0exJCukR17/XfFnX3vrC/82cUyNzuA7/0UXTCba4w GylQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=1bCmtM3PkF52IMaKSyyI1ZVU1tABDO70rpEWfzNwsCA=; b=V40E/Phe9WMXDIaOlyDOFnrFtIF+UYdJJ2HujwWRepc4M3mcRCsFCBhycKKx3dNdTi pMoElTOpra+sdGDDk7qdTPwFJt4pqxMKpevq/ZfaLPBARWnxAOa1NDyLmYLZwJn4WuTx zioG5cf31X4hSgfXzXCUmTVLmFy+EF2Pl60lioSqI76i+B6DoMSd40MVD4PnFdHTlgFW 8A8bonV+j1EkuJ5Z8uYvW0KoUMMVTM4UwlMpUtGzFXgPn1JGArAl2c8Ond3uuE+8vtRx d0tJUM2plJXMRi5zblUx/cjX47Pdrj6yTadLLpmjPDCbiQpLQV4AAwmtWgj64tGBSzWL gSKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=pa4pEzWm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id w12-20020a056a0014cc00b0050a9b06dde3si9424080pfu.282.2022.04.22.15.25.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 15:25:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=pa4pEzWm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2C3D63DA2B6; Fri, 22 Apr 2022 13:30:47 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379451AbiDTONV (ORCPT + 99 others); Wed, 20 Apr 2022 10:13:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379380AbiDTOKN (ORCPT ); Wed, 20 Apr 2022 10:10:13 -0400 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9D4D443E5; Wed, 20 Apr 2022 07:07:18 -0700 (PDT) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 23KBmOJq005891; Wed, 20 Apr 2022 14:06:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=1bCmtM3PkF52IMaKSyyI1ZVU1tABDO70rpEWfzNwsCA=; b=pa4pEzWmckNhPel4G4/MwiHx6tD8KB4zR4uFDKgoxu5hl6sDHbjeJAT6hIB5e0XCXHe1 Wl0ftHiD457K6BhfYRIYq1mOaVn2Fr9lY6JCvf5FnlcbFt4jBHaZ6hfJMzYzD0Smayxl TRU3CEyG9gp8wPbmGLAAlLTwK3o3eRDMvXIfol1iWHqqxvbbVGtiF7hY2Ww0M7jn7xBU BygMKhucXkEil3bPVqtU/vk37HLs28y/LE6mMDjfGyT+/19OLKpJZ9doUvAdqNgbHoB7 LtIKqPiGlGoT8ES8Tuq5yeJRAdhb2kGR66GcwkCzYdAVYXttJMhOL9SWCMm8p0boPNr1 wg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3fg7rg44b5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:47 +0000 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 23KE02LF035895; Wed, 20 Apr 2022 14:06:47 GMT Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3fg7rg44a7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:47 +0000 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 23KE3H0f006676; Wed, 20 Apr 2022 14:06:45 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02wdc.us.ibm.com with ESMTP id 3fg2xw1aqh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:45 +0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 23KE6ilJ25821664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Apr 2022 14:06:44 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2BE88AE05F; Wed, 20 Apr 2022 14:06:44 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22A36AE05C; Wed, 20 Apr 2022 14:06:44 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 20 Apr 2022 14:06:44 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, jpenumak@redhat.com, Stefan Berger Subject: [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy Date: Wed, 20 Apr 2022 10:06:30 -0400 Message-Id: <20220420140633.753772-24-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com> References: <20220420140633.753772-1-stefanb@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: k2L8nAPpfMiCo9lqaxYXcSP74sT2p8-D X-Proofpoint-ORIG-GUID: z4jsHbBq0x9EDHIsUd1TuUrRfDKBn6e4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_04,2022-04-20_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 clxscore=1015 bulkscore=0 spamscore=0 adultscore=0 mlxlogscore=999 mlxscore=0 suspectscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204200081 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Show the uid and gid values relative to the user namespace that is currently active. The effect of this changes is that when one displays the policy from the user namespace that originally set the policy, the same uid and gid values are shown in the policy as those that were used when the policy was set. Signed-off-by: Stefan Berger Reviewed-by: Mimi Zohar --- v9: - use seq_user_ns and from_k{g,u}id_munged() --- security/integrity/ima/ima_policy.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index eb10d895923d..4f8c50ddb777 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -2018,6 +2018,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m, int ima_policy_show(struct seq_file *m, void *v) { + struct user_namespace *user_ns = seq_user_ns(m); struct ima_rule_entry *entry = v; int i; char tbuf[64] = {0,}; @@ -2103,7 +2104,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_UID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->uid)); if (entry->uid_op == &uid_gt) seq_printf(m, pt(Opt_uid_gt), tbuf); else if (entry->uid_op == &uid_lt) @@ -2114,7 +2116,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_EUID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->uid)); if (entry->uid_op == &uid_gt) seq_printf(m, pt(Opt_euid_gt), tbuf); else if (entry->uid_op == &uid_lt) @@ -2125,7 +2128,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_GID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->gid)); if (entry->gid_op == &gid_gt) seq_printf(m, pt(Opt_gid_gt), tbuf); else if (entry->gid_op == &gid_lt) @@ -2136,7 +2140,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_EGID) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->gid)); if (entry->gid_op == &gid_gt) seq_printf(m, pt(Opt_egid_gt), tbuf); else if (entry->gid_op == &gid_lt) @@ -2147,7 +2152,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_FOWNER) { - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kuid_munged(user_ns, entry->fowner)); if (entry->fowner_op == &uid_gt) seq_printf(m, pt(Opt_fowner_gt), tbuf); else if (entry->fowner_op == &uid_lt) @@ -2158,7 +2164,8 @@ int ima_policy_show(struct seq_file *m, void *v) } if (entry->flags & IMA_FGROUP) { - snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup)); + snprintf(tbuf, sizeof(tbuf), + "%d", from_kgid_munged(user_ns, entry->fgroup)); if (entry->fgroup_op == &gid_gt) seq_printf(m, pt(Opt_fgroup_gt), tbuf); else if (entry->fgroup_op == &gid_lt) -- 2.34.1