[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Jul 2021 07:15:29 +0000
From: Roberto Sassu <roberto.sassu@...wei.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
"zohar@...ux.ibm.com" <zohar@...ux.ibm.com>
CC: "tusharsu@...ux.microsoft.com" <tusharsu@...ux.microsoft.com>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] ima: Support euid keyword for buffer measurement
> From: Lakshmi Ramasubramanian [mailto:nramas@...ux.microsoft.com]
> Sent: Tuesday, July 6, 2021 9:30 PM
> On 7/5/2021 4:56 AM, Roberto Sassu wrote:
>
> Hi Roberto,
>
> > This patch makes the 'euid' keyword available for buffer measurement rules,
> > in the same way as for other rules. Currently, there is only support for
> > the 'uid' keyword.
> >
> > With this change, buffer measurement (or non-measurement) can depend
> also
> > on the process effective UID.
>
> Who (kernel component) will be using this?
Hi Lakshmi
I'm using it in a (not yet submitted) test for digest lists.
It is in a dont_measure rule to try to unload a digest list
without measurement and to check that this is not allowed
if the digest list was measured at addition time (to ensure
completeness of information).
> Maybe you could make this change as part of the patch set in which the
> above "euid" support will be used.
I wanted to send the digest lists patch set without anything
else. I could resend the patch as part of that patch set if it is
preferred.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> thanks,
> -lakshmi
>
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > ---
> > security/integrity/ima/ima_policy.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> > index fd5d46e511f1..fdaa030fb04b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct
> ima_rule_entry *rule,
> > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> > return false;
> >
> > + if (rule->flags & IMA_EUID) {
> > + if (has_capability_noaudit(current, CAP_SETUID)) {
> > + if (!rule->uid_op(cred->euid, rule->uid)
> > + && !rule->uid_op(cred->suid, rule->uid)
> > + && !rule->uid_op(cred->uid, rule->uid))
> > + return false;
> > + } else if (!rule->uid_op(cred->euid, rule->uid))
> > + return false;
> > + }
> > +
> > switch (rule->func) {
> > case KEY_CHECK:
> > if (!rule->keyrings)
> > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct
> ima_rule_entry *entry)
> > if (entry->action & ~(MEASURE | DONT_MEASURE))
> > return false;
> >
> > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |
> IMA_PCR |
> > IMA_LABEL))
> > return false;
> >
> >
Powered by blists - more mailing lists