Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b94eea4 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Add user namespace support to IMA 



Use kuid's in the IMA rules.

When reporting the current uid in audit logs use from_kuid
to get a usable value.

Cc: Mimi Zohar <zohar@us.ibm.com>
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent cf9c9352

init/Kconfig

+0 −4
Original line number Diff line number Diff line
@@ -923,10 +923,6 @@ config UIDGID_CONVERTED 
	bool

	default y



	# List of kernel pieces that need user namespace work

	# Features

	depends on IMA = n



	# Networking

	depends on NET_9P = n

security/integrity/ima/ima_audit.c

+3 −2
Original line number Diff line number Diff line
@@ -39,8 +39,9 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, 


	ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);

	audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",

			 current->pid, current_cred()->uid,

			 audit_get_loginuid(current),

			 current->pid,

			 from_kuid(&init_user_ns, current_cred()->uid),

			 from_kuid(&init_user_ns, audit_get_loginuid(current)),

			 audit_get_sessionid(current));

	audit_log_task_context(ab);

	audit_log_format(ab, " op=");

security/integrity/ima/ima_policy.c

+7 −7
Original line number Diff line number Diff line
@@ -39,7 +39,7 @@ struct ima_measure_rule_entry { 
	enum ima_hooks func;

	int mask;

	unsigned long fsmagic;

	uid_t uid;

	kuid_t uid;

	struct {

		void *rule;	/* LSM file metadata specific */

		int type;	/* audit type */
@@ -71,7 +71,7 @@ static struct ima_measure_rule_entry default_rules[] = { 
	 .flags = IMA_FUNC | IMA_MASK},

	{.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,

	 .flags = IMA_FUNC | IMA_MASK},

	{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,

	{.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,

	 .flags = IMA_FUNC | IMA_MASK | IMA_UID},

};
@@ -112,7 +112,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule, 
	if ((rule->flags & IMA_FSMAGIC)

	    && rule->fsmagic != inode->i_sb->s_magic)

		return false;

	if ((rule->flags & IMA_UID) && rule->uid != cred->uid)

	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))

		return false;

	for (i = 0; i < MAX_LSM_RULES; i++) {

		int rc = 0;
@@ -277,7 +277,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) 


	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);



	entry->uid = -1;

	entry->uid = INVALID_UID;

	entry->action = UNKNOWN;

	while ((p = strsep(&rule, " \t")) != NULL) {

		substring_t args[MAX_OPT_ARGS];
@@ -361,15 +361,15 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) 
		case Opt_uid:

			ima_log_string(ab, "uid", args[0].from);



			if (entry->uid != -1) {

			if (uid_valid(entry->uid)) {

				result = -EINVAL;

				break;

			}



			result = strict_strtoul(args[0].from, 10, &lnum);

			if (!result) {

				entry->uid = (uid_t) lnum;

				if (entry->uid != lnum)

				entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);

				if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))

					result = -EINVAL;

				else

					entry->flags |= IMA_UID;