| Message ID | 20220420140633.753772-12-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Namespace IMA with audit support in IMA-ns | expand |
On Wed, Apr 20, 2022 at 10:06:18AM -0400, Stefan Berger wrote: > Define mac_admin_ns_capable() as a wrapper for the combined ns_capable() > checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return > true on the check if either capability or both are available. > > Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will allow > an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has > less privileges than CAP_SYS_ADMIN. > > Since CAP_MAC_ADMIN is an additional capability added to an existing gate > avoid auditing in case it is not set. It would probably be best to become a user of https://lore.kernel.org/all/20220217145003.78982-2-cgzones@googlemail.com/ when that lands. > Signed-off-by: Denis Semakin <denis.semakin@huawei.com> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > --- > v11: > - use ns_capable_noaudit for CAP_MAC_ADMIN to avoid auditing in this case > --- > include/linux/capability.h | 6 ++++++ > security/integrity/ima/ima.h | 6 ++++++ > security/integrity/ima/ima_fs.c | 5 ++++- > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index 65efb74c3585..dc3e1230b365 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) > ns_capable(ns, CAP_SYS_ADMIN); > } > > +static inline bool mac_admin_ns_capable(struct user_namespace *ns) > +{ > + return ns_capable_noaudit(ns, CAP_MAC_ADMIN) || > + ns_capable(ns, CAP_SYS_ADMIN); > +} > + > /* audit system wants to get cap info from files as well */ > int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, > const struct dentry *dentry, > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 5bf7f080c2be..626a6ce2453c 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -491,4 +491,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > #define POLICY_FILE_FLAGS S_IWUSR > #endif /* CONFIG_IMA_READ_POLICY */ > > +static inline > +struct user_namespace *ima_user_ns_from_file(const struct file *filp) > +{ > + return file_inode(filp)->i_sb->s_user_ns; > +} include/linux/fs.h has file_mnt_user_ns(). Maybe you should add a file_sb_user_ns() next to that? > + > #endif /* __LINUX_IMA_H */ > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 89d3113ceda1..c41aa61b7393 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = { > */ > static int ima_open_policy(struct inode *inode, struct file *filp) > { > +#ifdef CONFIG_IMA_READ_POLICY > + struct user_namespace *user_ns = ima_user_ns_from_file(filp); > +#endif > struct ima_namespace *ns = &init_ima_ns; > > if (!(filp->f_flags & O_WRONLY)) { > @@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) > #else > if ((filp->f_flags & O_ACCMODE) != O_RDONLY) > return -EACCES; > - if (!capable(CAP_SYS_ADMIN)) > + if (!mac_admin_ns_capable(user_ns)) > return -EPERM; > return seq_open(filp, &ima_policy_seqops); > #endif > -- > 2.34.1
On 5/22/22 13:31, Serge E. Hallyn wrote: > On Wed, Apr 20, 2022 at 10:06:18AM -0400, Stefan Berger wrote: >> Define mac_admin_ns_capable() as a wrapper for the combined ns_capable() >> checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return >> true on the check if either capability or both are available. >> >> Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will allow >> an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has >> less privileges than CAP_SYS_ADMIN. >> >> Since CAP_MAC_ADMIN is an additional capability added to an existing gate >> avoid auditing in case it is not set. > > It would probably be best to become a user of > https://lore.kernel.org/all/20220217145003.78982-2-cgzones@googlemail.com/ > > when that lands. Hm,I'll try to monitor to see when this gets merged. Though the function proposed there uses a hard-coded init_user_ns, which may not work for everyone. > >> Signed-off-by: Denis Semakin <denis.semakin@huawei.com> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> >> --- >> v11: >> - use ns_capable_noaudit for CAP_MAC_ADMIN to avoid auditing in this case >> --- >> include/linux/capability.h | 6 ++++++ >> security/integrity/ima/ima.h | 6 ++++++ >> security/integrity/ima/ima_fs.c | 5 ++++- >> 3 files changed, 16 insertions(+), 1 deletion(-) >> >> diff --git a/include/linux/capability.h b/include/linux/capability.h >> index 65efb74c3585..dc3e1230b365 100644 >> --- a/include/linux/capability.h >> +++ b/include/linux/capability.h >> @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) >> ns_capable(ns, CAP_SYS_ADMIN); >> } >> >> +static inline bool mac_admin_ns_capable(struct user_namespace *ns) >> +{ >> + return ns_capable_noaudit(ns, CAP_MAC_ADMIN) || >> + ns_capable(ns, CAP_SYS_ADMIN); >> +} >> + >> /* audit system wants to get cap info from files as well */ >> int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, >> const struct dentry *dentry, >> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h >> index 5bf7f080c2be..626a6ce2453c 100644 >> --- a/security/integrity/ima/ima.h >> +++ b/security/integrity/ima/ima.h >> @@ -491,4 +491,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, >> #define POLICY_FILE_FLAGS S_IWUSR >> #endif /* CONFIG_IMA_READ_POLICY */ >> >> +static inline >> +struct user_namespace *ima_user_ns_from_file(const struct file *filp) >> +{ >> + return file_inode(filp)->i_sb->s_user_ns; >> +} > > include/linux/fs.h has file_mnt_user_ns(). Maybe you should add a > file_sb_user_ns() next to that? I did that now: +static inline +struct user_namespace *ima_user_ns_from_file(struct file *filp) +{ + return file_sb_user_ns(filp); +} + +static inline struct user_namespace *file_sb_user_ns(struct file *file) +{ + return i_user_ns(file_inode(file)); +} + > >> + >> #endif /* __LINUX_IMA_H */ >> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c >> index 89d3113ceda1..c41aa61b7393 100644 >> --- a/security/integrity/ima/ima_fs.c >> +++ b/security/integrity/ima/ima_fs.c >> @@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = { >> */ >> static int ima_open_policy(struct inode *inode, struct file *filp) >> { >> +#ifdef CONFIG_IMA_READ_POLICY >> + struct user_namespace *user_ns = ima_user_ns_from_file(filp); >> +#endif >> struct ima_namespace *ns = &init_ima_ns; >> >> if (!(filp->f_flags & O_WRONLY)) { >> @@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) >> #else >> if ((filp->f_flags & O_ACCMODE) != O_RDONLY) >> return -EACCES; >> - if (!capable(CAP_SYS_ADMIN)) >> + if (!mac_admin_ns_capable(user_ns)) >> return -EPERM; >> return seq_open(filp, &ima_policy_seqops); >> #endif >> -- >> 2.34.1
diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..dc3e1230b365 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) ns_capable(ns, CAP_SYS_ADMIN); } +static inline bool mac_admin_ns_capable(struct user_namespace *ns) +{ + return ns_capable_noaudit(ns, CAP_MAC_ADMIN) || + ns_capable(ns, CAP_SYS_ADMIN); +} + /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, const struct dentry *dentry, diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 5bf7f080c2be..626a6ce2453c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -491,4 +491,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, #define POLICY_FILE_FLAGS S_IWUSR #endif /* CONFIG_IMA_READ_POLICY */ +static inline +struct user_namespace *ima_user_ns_from_file(const struct file *filp) +{ + return file_inode(filp)->i_sb->s_user_ns; +} + #endif /* __LINUX_IMA_H */ diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 89d3113ceda1..c41aa61b7393 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = { */ static int ima_open_policy(struct inode *inode, struct file *filp) { +#ifdef CONFIG_IMA_READ_POLICY + struct user_namespace *user_ns = ima_user_ns_from_file(filp); +#endif struct ima_namespace *ns = &init_ima_ns; if (!(filp->f_flags & O_WRONLY)) { @@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) #else if ((filp->f_flags & O_ACCMODE) != O_RDONLY) return -EACCES; - if (!capable(CAP_SYS_ADMIN)) + if (!mac_admin_ns_capable(user_ns)) return -EPERM; return seq_open(filp, &ima_policy_seqops); #endif