Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding... | linux-security-module

[PATCH v6 00/17] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
Re: [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-16
Re: [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-16
Re: [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-16
[PATCH v6 07/17] ima: Move ima_htable into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 17/17] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 17/17] ima: Setup securityfs for IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
Re: [PATCH v6 17/17] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-16
[PATCH v6 13/17] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 11/17] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 08/17] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 14/17] ima: Tie opened SecurityFS files to the IMA namespace it belongs to · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 14/17] ima: Tie opened SecurityFS files to the IMA namespace it belongs to · Christian Brauner <hidden> · 2021-12-11
Re: [PATCH v6 14/17] ima: Tie opened SecurityFS files to the IMA namespace it belongs to · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-11
[PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability · "Serge E. Hallyn" <serge@hallyn.com> · 2021-12-11
Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability · James Bottomley <hidden> · 2021-12-11
Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability · "Serge E. Hallyn" <serge@hallyn.com> · 2021-12-11
Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability · James Bottomley <hidden> · 2021-12-11
[PATCH v6 01/17] ima: Add IMA namespace support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 01/17] ima: Add IMA namespace support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-13
Re: [PATCH v6 01/17] ima: Add IMA namespace support · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
Re: [PATCH v6 01/17] ima: Add IMA namespace support · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
Re: [PATCH v6 01/17] ima: Add IMA namespace support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-16
[PATCH v6 16/17] ima: Move dentry into ima_namespace and others onto stack · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 09/17] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 06/17] ima: Move policy related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 06/17] ima: Move policy related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-13
[PATCH v6 12/17] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 12/17] securityfs: Extend securityfs with namespacing support · Christian Brauner <hidden> · 2021-12-11
Re: [PATCH v6 12/17] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-11
[PATCH v6 05/17] ima: Move IMA's keys queue related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 04/17] ima: Move delayed work queue and variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 10/17] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
[PATCH v6 03/17] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-10
Re: [PATCH v6 03/17] ima: Namespace audit status flags · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
Re: [PATCH v6 03/17] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-16
Re: [PATCH v6 03/17] ima: Namespace audit status flags · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-16

Re: [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability

From: "Serge E. Hallyn" <serge@hallyn.com>
Date: 2021-12-11 15:29:08
Also in: linux-integrity, lkml

On Fri, Dec 10, 2021 at 02:47:34PM -0500, Stefan Berger wrote:

quoted hunk ↗ jump to hunk

Use mac_admin_ns_capable() to check corresponding capability to allow
read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.

Signed-off-by: Denis Semakin <redacted>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 include/linux/capability.h      | 6 ++++++
 security/integrity/ima/ima_fs.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h

@@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
 		ns_capable(ns, CAP_SYS_ADMIN);
 }
 
+static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+	return ns_capable(ns, CAP_MAC_ADMIN) ||
+		ns_capable(ns, CAP_SYS_ADMIN);
+}
+
 /* audit system wants to get cap info from files as well */
 int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
 			   const struct dentry *dentry,

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a136d14f29ec..090ee85bfa3a 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c

@@ -440,7 +440,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
 #else
 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 			return -EACCES;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!mac_admin_ns_capable(user_ns))

Sorry if I'm missing something.  But I'm looking at your tree's
version of ima_update_policy() and failing to see where it adds
extra capability checks.  Note that any unprivileged user can
unshare a user namespace, map its hostuid to nsuid 0, and pass
ns_capable(CAP_MAC_ADMIN).

Likewise, a host uid 0 process which does not have CAP_MAC_ADMIN
can create a new user namespace, map hostuid 0 to nsuid 0, and
have CAP_MAC_ADMIN against the new userns.

Somewhere you need to be checking for privilege against either
the parent ns or the init_user_ns.  I'm not seeing where that's
being done.  Can you point me to it?

 			return -EPERM;
 		return ima_seq_open(filp, &ima_policy_seqops);
 #endif
-- 
2.31.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help