[PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
Stefan Berger
stefanb at linux.ibm.com
Sat Dec 11 15:38:11 UTC 2021
On 12/11/21 10:02, Serge E. Hallyn wrote:
> IMO yes it is unsafe, however I concede that I am not sufficiently familiar
> with the policy language. At least Stefan and Mimi (IIUC) want the host
> policy language to be able to specify cases where an IMA ns can be
> configured. What's not clear to me is what sorts of triggers the host
> IMA policy could specify that would safely identify a IMA ns generation
> trigger.
>
> Stefan, would you mind showing what such a policy statement would look like?
> Does it amount to "/usr/bin/runc may create an IMA ns which escapes current
> policy" ? Or is it by UID, or any file which has a certain xattr on it?
If this policy here is active on the host then file executions
(BPRM_CHECK) of uid=0 should be measured and audited on the host in any
IMA namespace that uid=0 may create. We achieve this with hierarchical
processing (v6: 10/17).
measure func=BPRM_CHECK mask=MAY_EXEC uid=0
audit func=BPRM_CHECK mask=MAY_EXEC uid=0
Stefan
>
> -serge
>
> On Thu, Dec 09, 2021 at 08:09:20AM +0000, Denis Semakin wrote:
>> Following that thoughts...
>> Will it be so incorrectly to unbound IMA-ns from USER-ns?
>> I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
>> How userland supposed to use current IMA-ns implementation?
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Denis Semakin
>> Sent: Thursday, December 9, 2021 10:22 AM
>> To: 'Stefan Berger' <stefanb at linux.ibm.com>; linux-integrity at vger.kernel.org
>> Cc: zohar at linux.ibm.com; serge at hallyn.com; christian.brauner at ubuntu.com; containers at lists.linux.dev; dmitry.kasatkin at gmail.com; ebiederm at xmission.com; Krzysztof Struczynski <krzysztof.struczynski at huawei.com>; Roberto Sassu <roberto.sassu at huawei.com>; mpeters at redhat.com; lhinds at redhat.com; lsturman at redhat.com; puiterwi at redhat.com; jejb at linux.ibm.com; jamjoom at us.ibm.com; linux-kernel at vger.kernel.org; paul at paul-moore.com; rgb at redhat.com; linux-security-module at vger.kernel.org; jmorris at namei.org
>> Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Hi.
>> My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces...
>> Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
>> Looks like currently IMA-ns will not be applicable for Kubernetes.
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Stefan Berger [mailto:stefanb at linux.ibm.com]
>> Sent: Thursday, December 9, 2021 1:18 AM
>> To: linux-integrity at vger.kernel.org
>> Cc: zohar at linux.ibm.com; serge at hallyn.com; christian.brauner at ubuntu.com; containers at lists.linux.dev; dmitry.kasatkin at gmail.com; ebiederm at xmission.com; Krzysztof Struczynski <krzysztof.struczynski at huawei.com>; Roberto Sassu <roberto.sassu at huawei.com>; mpeters at redhat.com; lhinds at redhat.com; lsturman at redhat.com; puiterwi at redhat.com; jejb at linux.ibm.com; jamjoom at us.ibm.com; linux-kernel at vger.kernel.org; paul at paul-moore.com; rgb at redhat.com; linux-security-module at vger.kernel.org; jmorris at namei.org; Stefan Berger <stefanb at linux.ibm.com>; Denis Semakin <denis.semakin at huawei.com>
>> Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
>>
>> Signed-off-by: Denis Semakin <denis.semakin at huawei.com>
>> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
>> ---
>> include/linux/capability.h | 6 ++++++
>> security/integrity/ima/ima_fs.c | 2 +-
>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
>> --- a/include/linux/capability.h
>> +++ b/include/linux/capability.h
>> @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
>> ns_capable(ns, CAP_SYS_ADMIN);
>> }
>>
>> +static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
>> + return ns_capable(ns, CAP_MAC_ADMIN) ||
>> + ns_capable(ns, CAP_SYS_ADMIN);
>> +}
>> +
>> /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
>> const struct dentry *dentry,
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) #else
>> if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
>> return -EACCES;
>> - if (!capable(CAP_SYS_ADMIN))
>> + if (!mac_admin_ns_capable(ns->user_ns))
>> return -EPERM;
>> return seq_open(filp, &ima_policy_seqops); #endif
>> --
>> 2.31.1
More information about the Linux-security-module-archive
mailing list