| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jan 2022 12:04:15 -0500
From: Stefan Berger <stefanb@...ux.vnet.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy
From: Stefan Berger <stefanb@...ux.ibm.com>
Show the uid and gid values of the owning user namespace when displaying
the IMA policy rather than the kernel uid and gid values. Now the same uid
and gid values are shown in the policy as those that were used when the
policy was set.
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
---
security/integrity/ima/ima_policy.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 15c68dc5da9e..b7dbc687b6ff 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1997,6 +1997,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
int ima_policy_show(struct seq_file *m, void *v)
{
+ struct user_namespace *user_ns = ima_user_ns_from_file(m->file);
struct ima_rule_entry *entry = v;
int i;
char tbuf[64] = {0,};
@@ -2074,7 +2075,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_UID) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kuid(user_ns, entry->uid));
if (entry->uid_op == &uid_gt)
seq_printf(m, pt(Opt_uid_gt), tbuf);
else if (entry->uid_op == &uid_lt)
@@ -2085,7 +2087,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_EUID) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kuid(user_ns, entry->uid));
if (entry->uid_op == &uid_gt)
seq_printf(m, pt(Opt_euid_gt), tbuf);
else if (entry->uid_op == &uid_lt)
@@ -2096,7 +2099,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_GID) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kgid(user_ns, entry->gid));
if (entry->gid_op == &gid_gt)
seq_printf(m, pt(Opt_gid_gt), tbuf);
else if (entry->gid_op == &gid_lt)
@@ -2107,7 +2111,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_EGID) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->gid));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kgid(user_ns, entry->gid));
if (entry->gid_op == &gid_gt)
seq_printf(m, pt(Opt_egid_gt), tbuf);
else if (entry->gid_op == &gid_lt)
@@ -2118,7 +2123,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_FOWNER) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kuid(user_ns, entry->fowner));
if (entry->fowner_op == &uid_gt)
seq_printf(m, pt(Opt_fowner_gt), tbuf);
else if (entry->fowner_op == &uid_lt)
@@ -2129,7 +2135,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_FGROUP) {
- snprintf(tbuf, sizeof(tbuf), "%d", __kgid_val(entry->fgroup));
+ snprintf(tbuf, sizeof(tbuf),
+ "%d", from_kgid(user_ns, entry->fgroup));
if (entry->fgroup_op == &gid_gt)
seq_printf(m, pt(Opt_fgroup_gt), tbuf);
else if (entry->fgroup_op == &gid_lt)
--
2.31.1
Powered by blists - more mailing lists