[PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy
Stefan Berger
stefanb at linux.ibm.com
Tue Jan 18 16:31:29 UTC 2022
On 1/14/22 08:45, Christian Brauner wrote:
> On Tue, Jan 04, 2022 at 12:04:15PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb at linux.ibm.com>
>>
>> Show the uid and gid values of the owning user namespace when displaying
>> the IMA policy rather than the kernel uid and gid values. Now the same uid
>> and gid values are shown in the policy as those that were used when the
>> policy was set.
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
>> ---
>> security/integrity/ima/ima_policy.c | 19 +++++++++++++------
>> 1 file changed, 13 insertions(+), 6 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 15c68dc5da9e..b7dbc687b6ff 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -1997,6 +1997,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
>>
>> int ima_policy_show(struct seq_file *m, void *v)
>> {
>> + struct user_namespace *user_ns = ima_user_ns_from_file(m->file);
> Hm, so when looking at the policy entries via seq_file's .show method
> and displaying the {g,u}id values of the rules we don't want the values
> resolved according to the user namespace the securityfs instances was
> mounted in. That would be misleading for callers that are in an
> ancestor userns (which we allow in .permission).
>
> So we want to make sure that we see the values as the opener of the file
> would see them. This is similar to e.g. looking at a task's ids through
> /proc/<pid>/status. So this should be seq_user_ns(m) instead of
> ima_user_ns_from_file().
>> struct ima_rule_entry *entry = v;
>> int i;
>> char tbuf[64] = {0,};
>> @@ -2074,7 +2075,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>> }
>>
>> if (entry->flags & IMA_UID) {
>> - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
>> + snprintf(tbuf, sizeof(tbuf),
>> + "%d", from_kuid(user_ns, entry->uid));
> This should be from_k{g,u}id_munged().
Thanks, fixed.
When I run a runc container as uid=1000 I see uid = 0 when inside the
container and when entering its mount namespace from root account via
nsenter it shows 'uid = 1000' while before it was showing 'uid = 0'.
More information about the Linux-security-module-archive
mailing list