[PATCH] ima: Support euid keyword for buffer measurement

Roberto Sassu roberto.sassu at huawei.com
Wed Jul 7 07:15:29 UTC 2021


> From: Lakshmi Ramasubramanian [mailto:nramas at linux.microsoft.com]
> Sent: Tuesday, July 6, 2021 9:30 PM
> On 7/5/2021 4:56 AM, Roberto Sassu wrote:
> 
> Hi Roberto,
> 
> > This patch makes the 'euid' keyword available for buffer measurement rules,
> > in the same way as for other rules. Currently, there is only support for
> > the 'uid' keyword.
> >
> > With this change, buffer measurement (or non-measurement) can depend
> also
> > on the process effective UID.
> 
> Who (kernel component) will be using this?

Hi Lakshmi

I'm using it in a (not yet submitted) test for digest lists.

It is in a dont_measure rule to try to unload a digest list
without measurement and to check that this is not allowed
if the digest list was measured at addition time (to ensure
completeness of information).

> Maybe you could make this change as part of the patch set in which the
> above "euid" support will be used.

I wanted to send the digest lists patch set without anything
else. I could resend the patch as part of that patch set if it is
preferred.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

> thanks,
>   -lakshmi
> 
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > ---
> >   security/integrity/ima/ima_policy.c | 12 +++++++++++-
> >   1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> > index fd5d46e511f1..fdaa030fb04b 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct
> ima_rule_entry *rule,
> >   	if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
> >   		return false;
> >
> > +	if (rule->flags & IMA_EUID) {
> > +		if (has_capability_noaudit(current, CAP_SETUID)) {
> > +			if (!rule->uid_op(cred->euid, rule->uid)
> > +			    && !rule->uid_op(cred->suid, rule->uid)
> > +			    && !rule->uid_op(cred->uid, rule->uid))
> > +				return false;
> > +		} else if (!rule->uid_op(cred->euid, rule->uid))
> > +			return false;
> > +	}
> > +
> >   	switch (rule->func) {
> >   	case KEY_CHECK:
> >   		if (!rule->keyrings)
> > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct
> ima_rule_entry *entry)
> >   		if (entry->action & ~(MEASURE | DONT_MEASURE))
> >   			return false;
> >
> > -		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
> > +		if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID |
> IMA_PCR |
> >   				     IMA_LABEL))
> >   			return false;
> >
> >


More information about the Linux-security-module-archive mailing list