[PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

Denis Semakin denis.semakin at huawei.com
Thu Dec 9 07:22:27 UTC 2021


Hi. 
My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation
would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces... 
Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
Looks like currently IMA-ns will not be applicable for Kubernetes.

Br,
Denis

-----Original Message-----
From: Stefan Berger [mailto:stefanb at linux.ibm.com] 
Sent: Thursday, December 9, 2021 1:18 AM
To: linux-integrity at vger.kernel.org
Cc: zohar at linux.ibm.com; serge at hallyn.com; christian.brauner at ubuntu.com; containers at lists.linux.dev; dmitry.kasatkin at gmail.com; ebiederm at xmission.com; Krzysztof Struczynski <krzysztof.struczynski at huawei.com>; Roberto Sassu <roberto.sassu at huawei.com>; mpeters at redhat.com; lhinds at redhat.com; lsturman at redhat.com; puiterwi at redhat.com; jejb at linux.ibm.com; jamjoom at us.ibm.com; linux-kernel at vger.kernel.org; paul at paul-moore.com; rgb at redhat.com; linux-security-module at vger.kernel.org; jmorris at namei.org; Stefan Berger <stefanb at linux.ibm.com>; Denis Semakin <denis.semakin at huawei.com>
Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.

Signed-off-by: Denis Semakin <denis.semakin at huawei.com>
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
 include/linux/capability.h      | 6 ++++++
 security/integrity/ima/ima_fs.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
 		ns_capable(ns, CAP_SYS_ADMIN);
 }
 
+static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
+	return ns_capable(ns, CAP_MAC_ADMIN) ||
+		ns_capable(ns, CAP_SYS_ADMIN);
+}
+
 /* audit system wants to get cap info from files as well */  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
 			   const struct dentry *dentry,
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)  #else
 		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
 			return -EACCES;
-		if (!capable(CAP_SYS_ADMIN))
+		if (!mac_admin_ns_capable(ns->user_ns))
 			return -EPERM;
 		return seq_open(filp, &ima_policy_seqops);  #endif
--
2.31.1



More information about the Linux-security-module-archive mailing list