[RFC v2 10/19] ima: Implement hierarchical processing of file accesses

[RFC v2 00/19] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 01/19] ima: Add IMA namespace support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 02/19] ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 06/19] ima: Move policy related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 07/19] ima: Move ima_htable into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 04/19] ima: Move delayed work queue and variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 03/19] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 12/19] securityfs: Pass static variables as parameters from top level functions · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 10/19] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 14/19] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 08/19] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 11/19] securityfs: Prefix global variables with securityfs_ · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 16/19] ima: Use integrity_admin_ns_capable() to check corresponding capability · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 13/19] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 09/19] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
Re: [RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-03
Re: [RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 17/19] userns: Introduce a refcount variable for calling early teardown function · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-04
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-03
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · Christian Brauner <hidden> · 2021-12-06
Re: [RFC v2 19/19] ima: Setup securityfs for IMA namespace · James Bottomley <hidden> · 2021-12-06
[RFC v2 05/19] ima: Move IMA's keys queue related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03
[RFC v2 18/19] ima/userns: Define early teardown function for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-03

From: Stefan Berger <stefanb@linux.ibm.com>
Date: 2021-12-03 02:32:08
Also in: linux-security-module, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Implement hierarchical processing of file accesses in IMA namespaces by
walking the list of IMA namespaces towards the init_ima_ns. This way
file accesses can be audited in an IMA namespace and also be evaluated
against the IMA policies of parent IMA namespaces.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 security/integrity/ima/ima_main.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d692c9d53a98..42cbcaf2dc1e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

@@ -199,10 +199,10 @@ void ima_file_free(struct file *file)
 	ima_check_last_writer(iint, inode, file);
 }
 
-static int process_measurement(struct ima_namespace *ns,
-			       struct file *file, const struct cred *cred,
-			       u32 secid, char *buf, loff_t size, int mask,
-			       enum ima_hooks func)
+static int _process_measurement(struct ima_namespace *ns,
+				struct file *file, const struct cred *cred,
+				u32 secid, char *buf, loff_t size, int mask,
+				enum ima_hooks func)
 {
 	struct inode *inode = file_inode(file);
 	struct integrity_iint_cache *iint = NULL;

@@ -404,6 +404,27 @@ static int process_measurement(struct ima_namespace *ns,
 	return 0;
 }
 
+static int process_measurement(struct ima_namespace *ns,
+			       struct file *file, const struct cred *cred,
+			       u32 secid, char *buf, loff_t size, int mask,
+			       enum ima_hooks func)
+{
+	int ret = 0;
+	struct user_namespace *user_ns;
+
+	do {
+		ret = _process_measurement(ns, file, cred, secid, buf, size, mask, func);
+		if (ret)
+			break;
+		user_ns = ns->user_ns->parent;
+		if (!user_ns)
+			break;
+		ns = user_ns->ima_ns;
+	} while (1);
+
+	return ret;
+}
+
 /**
  * ima_file_mmap - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured (May be NULL)

-- 
2.31.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help