Re: [PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap

[PATCH 0/7] ima: Add template fields to verify EVM portable signatures · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH 1/7] ima: Add ima_show_template_uint() template library function · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH 2/7] ima: Introduce template fields iuid and igid · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
Re: [PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap · Christian Brauner <hidden> · 2021-05-20
Re: [PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap · Christian Brauner <hidden> · 2021-05-20
RE: [PATCH 3/7] ima: Introduce template fields mntuidmap and mntgidmap · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH 4/7] ima: Introduce template field imode · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
[PATCH 5/7] evm: Verify portable signatures against all protected xattrs · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
Re: [PATCH 5/7] evm: Verify portable signatures against all protected xattrs · Mimi Zohar <zohar@linux.ibm.com> · 2021-05-24
[PATCH 6/7] ima: Introduce template field evmxattrs · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20
Re: [PATCH 6/7] ima: Introduce template field evmxattrs · Mimi Zohar <zohar@linux.ibm.com> · 2021-05-24
[PATCH 7/7] evm: Don't return an error in evm_write_xattrs() if audit is not enabled · Roberto Sassu <roberto.sassu@huawei.com> · 2021-05-20

From: Christian Brauner <hidden>
Date: 2021-05-20 09:57:27
Also in: linux-integrity, linux-security-module, lkml

On Thu, May 20, 2021 at 10:56:57AM +0200, Roberto Sassu wrote:

This patch introduces the new template fields mntuidmap and mntgidmap,
which include respectively the UID and GID mappings of the idmapped mount,
if the user namespace is not the initial one.

These template fields, which should be included whenever the iuid and the
igid fields are included, allow remote verifiers to find the original UID
and GID of the inode during signature verification. The iuid and igid
fields include the mapped UID and GID when the inode is in an idmapped
mount.

This solution has been preferred to providing always the original UID and
GID, regardless of whether the inode is in an idmapped mount or not, as
the mapped UID and GID are those seen by processes and matched with the IMA
policy.

Hm, looking at the code this doesn't seem like a good idea to me. I
think we should avoid that and just rely on the original uid and gid.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help