lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 9 Dec 2021 08:09:20 +0000
From:   Denis Semakin <denis.semakin@...wei.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
CC:     "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "christian.brauner@...ntu.com" <christian.brauner@...ntu.com>,
        "containers@...ts.linux.dev" <containers@...ts.linux.dev>,
        "dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
        "ebiederm@...ssion.com" <ebiederm@...ssion.com>,
        Krzysztof Struczynski <krzysztof.struczynski@...wei.com>,
        Roberto Sassu <roberto.sassu@...wei.com>,
        "mpeters@...hat.com" <mpeters@...hat.com>,
        "lhinds@...hat.com" <lhinds@...hat.com>,
        "lsturman@...hat.com" <lsturman@...hat.com>,
        "puiterwi@...hat.com" <puiterwi@...hat.com>,
        "jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
        "jamjoom@...ibm.com" <jamjoom@...ibm.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "paul@...l-moore.com" <paul@...l-moore.com>,
        "rgb@...hat.com" <rgb@...hat.com>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "jmorris@...ei.org" <jmorris@...ei.org>
Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check
 corresponding capability

Following that thoughts...
Will it be so incorrectly to unbound IMA-ns from USER-ns?
I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
How userland supposed to use current IMA-ns implementation?

Br,
Denis

-----Original Message-----
From: Denis Semakin 
Sent: Thursday, December 9, 2021 10:22 AM
To: 'Stefan Berger' <stefanb@...ux.ibm.com>; linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org
Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

Hi. 
My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces... 
Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
Looks like currently IMA-ns will not be applicable for Kubernetes.

Br,
Denis

-----Original Message-----
From: Stefan Berger [mailto:stefanb@...ux.ibm.com]
Sent: Thursday, December 9, 2021 1:18 AM
To: linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org; Stefan Berger <stefanb@...ux.ibm.com>; Denis Semakin <denis.semakin@...wei.com>
Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.

Signed-off-by: Denis Semakin <denis.semakin@...wei.com>
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
---
 include/linux/capability.h      | 6 ++++++
 security/integrity/ima/ima_fs.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
 		ns_capable(ns, CAP_SYS_ADMIN);
 }
 
+static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
+	return ns_capable(ns, CAP_MAC_ADMIN) ||
+		ns_capable(ns, CAP_SYS_ADMIN);
+}
+
 /* audit system wants to get cap info from files as well */  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
 			   const struct dentry *dentry,
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)  #else
 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 			return -EACCES;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!mac_admin_ns_capable(ns->user_ns))
 			return -EPERM;
 		return seq_open(filp, &ima_policy_seqops);  #endif
--
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ