[PATCH v7 12/14] ima: Use mac_admin_ns_capable() to check corresponding capability
Stefan Berger
stefanb at linux.vnet.ibm.com
Thu Dec 16 05:43:21 UTC 2021
From: Stefan Berger <stefanb at linux.ibm.com>
Use mac_admin_ns_capable() to check corresponding capability to allow
read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
Signed-off-by: Denis Semakin <denis.semakin at huawei.com>
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
include/linux/capability.h | 6 ++++++
security/integrity/ima/ima_fs.c | 5 +++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
ns_capable(ns, CAP_SYS_ADMIN);
}
+static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+ return ns_capable(ns, CAP_MAC_ADMIN) ||
+ ns_capable(ns, CAP_SYS_ADMIN);
+}
+
/* audit system wants to get cap info from files as well */
int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
const struct dentry *dentry,
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index b2ca9bcd185f..611c4271d474 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -385,7 +385,8 @@ static const struct seq_operations ima_policy_seqops = {
*/
static int ima_open_policy(struct inode *inode, struct file *filp)
{
- struct ima_namespace *ns = ima_ns_from_file(filp);
+ struct user_namespace *user_ns = ima_user_ns_from_file(filp);
+ struct ima_namespace *ns = user_ns->ima_ns;
if (!(filp->f_flags & O_WRONLY)) {
#ifndef CONFIG_IMA_READ_POLICY
@@ -393,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
#else
if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
return -EACCES;
- if (!capable(CAP_SYS_ADMIN))
+ if (!mac_admin_ns_capable(user_ns))
return -EPERM;
return seq_open(filp, &ima_policy_seqops);
#endif
--
2.31.1
More information about the Linux-security-module-archive
mailing list