RE: [PATCH] ima: Support euid keyword for buffer measurement
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: 2021-07-07 07:15:34
Also in:
linux-security-module, lkml
From: Lakshmi Ramasubramanian [mailto:nramas@linux.microsoft.com] Sent: Tuesday, July 6, 2021 9:30 PM On 7/5/2021 4:56 AM, Roberto Sassu wrote: Hi Roberto,quoted
This patch makes the 'euid' keyword available for buffer measurement rules, in the same way as for other rules. Currently, there is only support for the 'uid' keyword. With this change, buffer measurement (or non-measurement) can dependalsoquoted
on the process effective UID.Who (kernel component) will be using this?
Hi Lakshmi I'm using it in a (not yet submitted) test for digest lists. It is in a dont_measure rule to try to unload a digest list without measurement and to check that this is not allowed if the digest list was measured at addition time (to ensure completeness of information).
Maybe you could make this change as part of the patch set in which the above "euid" support will be used.
I wanted to send the digest lists patch set without anything else. I could resend the patch as part of that patch set if it is preferred. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli
thanks, -lakshmiquoted
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/ima/ima_policy.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)diff --git a/security/integrity/ima/ima_policy.cb/security/integrity/ima/ima_policy.cquoted
index fd5d46e511f1..fdaa030fb04b 100644--- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c@@ -480,6 +480,16 @@ static bool ima_match_rule_data(structima_rule_entry *rule,quoted
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; + if (rule->flags & IMA_EUID) { + if (has_capability_noaudit(current, CAP_SETUID)) { + if (!rule->uid_op(cred->euid, rule->uid) + && !rule->uid_op(cred->suid, rule->uid) + && !rule->uid_op(cred->uid, rule->uid)) + return false; + } else if (!rule->uid_op(cred->euid, rule->uid)) + return false; + } + switch (rule->func) { case KEY_CHECK: if (!rule->keyrings)@@ -1153,7 +1163,7 @@ static bool ima_validate_rule(structima_rule_entry *entry)quoted
if (entry->action & ~(MEASURE | DONT_MEASURE)) return false; - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |IMA_PCR |quoted
IMA_LABEL)) return false;