[RFC,15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

Message ID	20211130160654.1418231-16-stefanb@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> From: Stefan Berger <stefanb@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, Denis Semakin <denis.semakin@huawei.com>, Stefan Berger <stefanb@linux.ibm.com> Subject: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN Date: Tue, 30 Nov 2021 11:06:49 -0500 Message-Id: <20211130160654.1418231-16-stefanb@linux.ibm.com> In-Reply-To: <20211130160654.1418231-1-stefanb@linux.ibm.com> References: <20211130160654.1418231-1-stefanb@linux.ibm.com> Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Precedence: bulk
Series	ima: Namespace IMA with audit support in IMA-ns \| expand [RFC,00/20] ima: Namespace IMA with audit support in IMA-ns [RFC,01/20] ima: Add IMA namespace support [RFC,02/20] ima: Define ns_status for storing namespaced iint data [RFC,03/20] ima: Namespace audit status flags [RFC,04/20] ima: Move delayed work queue and variables into ima_namespace [RFC,05/20] ima: Move IMA's keys queue related variables into ima_namespace [RFC,06/20] ima: Move policy related variables into ima_namespace [RFC,07/20] ima: Move ima_htable into ima_namespace [RFC,08/20] ima: Move measurement list related variables into ima_namespace [RFC,09/20] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now [RFC,10/20] ima: Implement hierarchical processing of file accesses [RFC,11/20] securityfs: Prefix global variables with securityfs_ [RFC,12/20] securityfs: Pass static variables as parameters from top level functions [RFC,13/20] securityfs: Build securityfs_ns for namespacing support [RFC,14/20] ima: Move some IMA policy and filesystem related variables into ima_namespace [RFC,15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN [RFC,16/20] ima: Use ns_capable() for namespace policy access [RFC,17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability [RFC,18/20] userns: Introduce a refcount variable for calling early teardown function [RFC,19/20] ima/userns: Define early teardown function for IMA namespace [RFC,20/20] ima: Setup securityfs_ns for IMA namespace

Message ID

20211130160654.1418231-16-stefanb@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
        christian.brauner@ubuntu.com, containers@lists.linux.dev,
        dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
        krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
        mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
        puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
        linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        Denis Semakin <denis.semakin@huawei.com>,
        Stefan Berger <stefanb@linux.ibm.com>
Subject: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN
Date: Tue, 30 Nov 2021 11:06:49 -0500
Message-Id: <20211130160654.1418231-16-stefanb@linux.ibm.com>
In-Reply-To: <20211130160654.1418231-1-stefanb@linux.ibm.com>
References: <20211130160654.1418231-1-stefanb@linux.ibm.com>
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Precedence: bulk

Series

ima: Namespace IMA with audit support in IMA-ns | expand

Commit Message

Stefan Berger Nov. 30, 2021, 4:06 p.m. UTC

From: Denis Semakin <denis.semakin@huawei.com>

This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.

The main purpose of this new capability is discribed in this document:
https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
It is said: "setting the policy should be possibly without the powerful
CAP_SYS_ADMIN and there should be the opportunity to gate this with a new
capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
during container runtime.."

In other words it should be possible to setup IMA policies while not
giving too many privilges to the user, therefore splitting the
CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.

Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 include/linux/capability.h          | 6 ++++++
 include/uapi/linux/capability.h     | 7 ++++++-
 security/selinux/include/classmap.h | 4 ++--
 3 files changed, 14 insertions(+), 3 deletions(-)

Comments

Casey Schaufler Nov. 30, 2021, 5:27 p.m. UTC | #1

On 11/30/2021 8:06 AM, Stefan Berger wrote:
> From: Denis Semakin <denis.semakin@huawei.com>
>
> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
> to setup IMA (Integrity Measurement Architecture) policies per container
> for non-root users.

Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.

>
> The main purpose of this new capability is discribed in this document:
> https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
> It is said: "setting the policy should be possibly without the powerful
> CAP_SYS_ADMIN and there should be the opportunity to gate this with a new
> capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
> during container runtime.."
>
> In other words it should be possible to setup IMA policies while not
> giving too many privilges to the user, therefore splitting the
> CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
>
> Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   include/linux/capability.h          | 6 ++++++
>   include/uapi/linux/capability.h     | 7 ++++++-
>   security/selinux/include/classmap.h | 4 ++--
>   3 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 65efb74c3585..ea6d58acb95e 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -278,4 +278,10 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
>   int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
>   		      const void **ivalue, size_t size);
>   
> +static inline bool integrity_admin_ns_capable(struct user_namespace *ns)
> +{
> +	return ns_capable(ns, CAP_INTEGRITY_ADMIN) ||
> +		ns_capable(ns, CAP_SYS_ADMIN);
> +}
> +
>   #endif /* !_LINUX_CAPABILITY_H */
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 463d1ba2232a..48b08e4b3895 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -417,7 +417,12 @@ struct vfs_ns_cap_data {
>   
>   #define CAP_CHECKPOINT_RESTORE	40
>   
> -#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
> +/* Allow setup IMA policy per container independently */
> +/* No necessary to be superuser */
> +
> +#define CAP_INTEGRITY_ADMIN	41
> +
> +#define CAP_LAST_CAP		CAP_INTEGRITY_ADMIN
>   
>   #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>   
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 35aac62a662e..7ff532b90f09 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -28,9 +28,9 @@
>   
>   #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
>   		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
> -		"checkpoint_restore"
> +		"checkpoint_restore", "integrity_admin"
>   
> -#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
> +#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN
>   #error New capability defined, please update COMMON_CAP2_PERMS.
>   #endif
>

Stefan Berger Nov. 30, 2021, 5:41 p.m. UTC | #2

On 11/30/21 12:27, Casey Schaufler wrote:
> On 11/30/2021 8:06 AM, Stefan Berger wrote:
>> From: Denis Semakin <denis.semakin@huawei.com>
>>
>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
>> to setup IMA (Integrity Measurement Architecture) policies per container
>> for non-root users.
>
> Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
> is system security administration. It seems to fit your needs.
> I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
> it would be completely appropriate.

Fine by me. I suppose we could be reusing it later on also for setting 
file extended attributes for IMA?

    Stefan

Casey Schaufler Nov. 30, 2021, 5:50 p.m. UTC | #3

On 11/30/2021 9:41 AM, Stefan Berger wrote:
>
> On 11/30/21 12:27, Casey Schaufler wrote:
>> On 11/30/2021 8:06 AM, Stefan Berger wrote:
>>> From: Denis Semakin <denis.semakin@huawei.com>
>>>
>>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
>>> to setup IMA (Integrity Measurement Architecture) policies per container
>>> for non-root users.
>>
>> Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
>> is system security administration. It seems to fit your needs.
>> I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
>> it would be completely appropriate.
>
> Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA?

Yes. That would be completely consistent with the intention and the
Smack implementation.

>
>    Stefan
>
>

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..ea6d58acb95e 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -278,4 +278,10 @@  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
 int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
 		      const void **ivalue, size_t size);
 
+static inline bool integrity_admin_ns_capable(struct user_namespace *ns)
+{
+	return ns_capable(ns, CAP_INTEGRITY_ADMIN) ||
+		ns_capable(ns, CAP_SYS_ADMIN);
+}
+
 #endif /* !_LINUX_CAPABILITY_H */
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 463d1ba2232a..48b08e4b3895 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -417,7 +417,12 @@  struct vfs_ns_cap_data {
 
 #define CAP_CHECKPOINT_RESTORE	40
 
-#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+/* Allow setup IMA policy per container independently */
+/* No necessary to be superuser */
+
+#define CAP_INTEGRITY_ADMIN	41
+
+#define CAP_LAST_CAP		CAP_INTEGRITY_ADMIN
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 35aac62a662e..7ff532b90f09 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -28,9 +28,9 @@ 
 
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
 		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+		"checkpoint_restore", "integrity_admin"
 
-#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
+#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN
 #error New capability defined, please update COMMON_CAP2_PERMS.
 #endif

[RFC,15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

Commit Message

Comments

Patch