[PATCH] ima: Support euid keyword for buffer measurement
Roberto Sassu
roberto.sassu at huawei.com
Wed Jul 7 07:15:29 UTC 2021
> From: Lakshmi Ramasubramanian [mailto:nramas at linux.microsoft.com]
> Sent: Tuesday, July 6, 2021 9:30 PM
> On 7/5/2021 4:56 AM, Roberto Sassu wrote:
>
> Hi Roberto,
>
> > This patch makes the 'euid' keyword available for buffer measurement rules,
> > in the same way as for other rules. Currently, there is only support for
> > the 'uid' keyword.
> >
> > With this change, buffer measurement (or non-measurement) can depend
> also
> > on the process effective UID.
>
> Who (kernel component) will be using this?
Hi Lakshmi
I'm using it in a (not yet submitted) test for digest lists.
It is in a dont_measure rule to try to unload a digest list
without measurement and to check that this is not allowed
if the digest list was measured at addition time (to ensure
completeness of information).
> Maybe you could make this change as part of the patch set in which the
> above "euid" support will be used.
I wanted to send the digest lists patch set without anything
else. I could resend the patch as part of that patch set if it is
preferred.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> thanks,
> -lakshmi
>
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > ---
> > security/integrity/ima/ima_policy.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> > index fd5d46e511f1..fdaa030fb04b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct
> ima_rule_entry *rule,
> > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> > return false;
> >
> > + if (rule->flags & IMA_EUID) {
> > + if (has_capability_noaudit(current, CAP_SETUID)) {
> > + if (!rule->uid_op(cred->euid, rule->uid)
> > + && !rule->uid_op(cred->suid, rule->uid)
> > + && !rule->uid_op(cred->uid, rule->uid))
> > + return false;
> > + } else if (!rule->uid_op(cred->euid, rule->uid))
> > + return false;
> > + }
> > +
> > switch (rule->func) {
> > case KEY_CHECK:
> > if (!rule->keyrings)
> > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct
> ima_rule_entry *entry)
> > if (entry->action & ~(MEASURE | DONT_MEASURE))
> > return false;
> >
> > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |
> IMA_PCR |
> > IMA_LABEL))
> > return false;
> >
> >
More information about the Linux-security-module-archive
mailing list