From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Alex Henrie <alexh@vpitech.com>,
linux-integrity@vger.kernel.org, alexhenrie24@gmail.com,
Curtis Veit <veit@vpieng.com>
Subject: Re: [PATCH v2] ima: add gid support
Date: Thu, 7 Oct 2021 11:34:40 +0200 [thread overview]
Message-ID: <YV6/MBZzZ5GS+MCv@pevik> (raw)
In-Reply-To: <81863154aebf9d3e023bd37acca8ff265a187fd0.camel@linux.ibm.com>
Hi Alex, Mimi,
> Hi Alex,
> On Mon, 2021-10-04 at 18:32 -0600, Alex Henrie wrote:
> > From: Curtis Veit <veit@vpieng.com>
> > IMA currently supports the concept of rules based on uid where the rule
> > is based on the uid of the file owner or the uid of the user accessing
> > the file. It is useful to have similar rules based on gid. This patch
> > provides that ability.
> > Signed-off-by: Curtis Veit <veit@vpieng.com>
> > Co-developed-by: Alex Henrie <alexh@vpitech.com>
> > Signed-off-by: Alex Henrie <alexh@vpitech.com>
> > ---
> > v2: Trivial changes that Mimi requested
> Sorry, scripts/check-patch.pl reported some warnings. Two more trivial changes.
> > ---
> > Documentation/ABI/testing/ima_policy | 8 +-
> > security/integrity/ima/ima_policy.c | 201 +++++++++++++++++++++++----
> > 2 files changed, 180 insertions(+), 29 deletions(-)
> > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> > index 5c2798534950..e1a04bd3b9e5 100644
> > --- a/Documentation/ABI/testing/ima_policy
> > @@ -78,9 +81,13 @@ struct ima_rule_entry {
> > unsigned long fsmagic;
> > uuid_t fsuuid;
> > kuid_t uid;
> > + kgid_t gid;
> > kuid_t fowner;
> > + kgid_t fgroup;
> > bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
> > + bool (*gid_op)(kgid_t, kgid_t);
> > bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
> > + bool (*fgroup_op)(kgid_t, kgid_t); /* gid_eq(), gid_gt(), gid_lt() */
> scripts/checkpatch.pl complains about missing variables.
+1
> > int pcr;
> > unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
> > struct {
> > @@ -582,10 +590,23 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> > } else if (!rule->uid_op(cred->euid, rule->uid))
> > return false;
> > }
> > -
> > + if ((rule->flags & IMA_GID) && !rule->gid_op(rule->gid, cred->gid))
> All of uid_op/gid_op calls in ima_match_rules() pass the "cred->xxxx,
> rule->xxx" except here, where it is rule->gid, cred->rule. Reversing
> the parameters here will help with addressing the checkpatch.pl
> warning.
+1
Apart from those checkpatch issues patch LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
> thanks,
> Mimi
next prev parent reply other threads:[~2021-10-07 9:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-05 0:32 [PATCH v2] ima: add gid support Alex Henrie
2021-10-06 19:49 ` Mimi Zohar
2021-10-07 9:34 ` Petr Vorel [this message]
2021-10-07 19:41 ` Alex Henrie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YV6/MBZzZ5GS+MCv@pevik \
--to=pvorel@suse.cz \
--cc=alexh@vpitech.com \
--cc=alexhenrie24@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=veit@vpieng.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.