| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jan 2022 11:31:29 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Christian Brauner <brauner@...nel.org>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc: linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
serge@...lyn.com, christian.brauner@...ntu.com,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid
when displaying policy
On 1/14/22 08:45, Christian Brauner wrote:
> On Tue, Jan 04, 2022 at 12:04:15PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@...ux.ibm.com>
>>
>> Show the uid and gid values of the owning user namespace when displaying
>> the IMA policy rather than the kernel uid and gid values. Now the same uid
>> and gid values are shown in the policy as those that were used when the
>> policy was set.
>>
>> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
>> ---
>> security/integrity/ima/ima_policy.c | 19 +++++++++++++------
>> 1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 15c68dc5da9e..b7dbc687b6ff 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -1997,6 +1997,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
>>
>> int ima_policy_show(struct seq_file *m, void *v)
>> {
>> + struct user_namespace *user_ns = ima_user_ns_from_file(m->file);
> Hm, so when looking at the policy entries via seq_file's .show method
> and displaying the {g,u}id values of the rules we don't want the values
> resolved according to the user namespace the securityfs instances was
> mounted in. That would be misleading for callers that are in an
> ancestor userns (which we allow in .permission).
>
> So we want to make sure that we see the values as the opener of the file
> would see them. This is similar to e.g. looking at a task's ids through
> /proc/<pid>/status. So this should be seq_user_ns(m) instead of
> ima_user_ns_from_file().
>> struct ima_rule_entry *entry = v;
>> int i;
>> char tbuf[64] = {0,};
>> @@ -2074,7 +2075,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_UID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kuid(user_ns, entry->uid));
> This should be from_k{g,u}id_munged().
Thanks, fixed.
When I run a runc container as uid=1000 I see uid = 0 when inside the
container and when entering its mount namespace from root account via
nsenter it shows 'uid = 1000' while before it was showing 'uid = 0'.
Powered by blists - more mailing lists