[PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy
Christian Brauner
brauner at kernel.org
Wed Jan 26 14:43:59 UTC 2022
On Wed, Jan 26, 2022 at 03:43:26PM +0100, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:44PM -0500, Stefan Berger wrote:
> > From: Stefan Berger <stefanb at linux.ibm.com>
> >
> > Show the uid and gid values relative to the user namespace that is
> > currently active. The effect of this changes is that when one displays
> > the policy from the user namespace that originally set the policy,
> > the same uid and gid values are shown in the policy as those that were
> > used when the policy was set.
>
> "Make sure that the uid and gid values associated with the relevant
> ima policy are resolved in the user namespace of the opener of the
> policy file."
>
> is more correct. Also note, that by virtue of enforcing that securityfs
> files can only ever be opened if the opener's userns is the same or an
> ancestor of the userns the securityfs instance is mounted in we are
> guaranteed that the uid and gid can be resolved. That's another way of
> saying technically *_munged() isn't necessary but it is more correct
> since we're crossing the user-kernel boundary.
>
> >
> > Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> >
> > ---
Acked-by: Christian Brauner <brauner at kernel.org>
More information about the Linux-security-module-archive
mailing list