From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54658 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934069AbeAHT4D (ORCPT ); Mon, 8 Jan 2018 14:56:03 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.21) with SMTP id w08JsOmm100904 for ; Mon, 8 Jan 2018 14:56:02 -0500 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0b-001b2d01.pphosted.com with ESMTP id 2fccdtqw80-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 08 Jan 2018 14:56:02 -0500 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Jan 2018 19:56:00 -0000 Subject: Re: [PATCH V5 2/2] IMA: Support using new creds in appraisal policy From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Paul Moore , Stephen Smalley , Eric Paris , selinux@tycho.nsa.gov, Casey Schaufler , LSM List , Dmitry Kasatkin Date: Mon, 08 Jan 2018 14:55:53 -0500 In-Reply-To: References: <20180105211536.11611-1-mjg59@google.com> <20180105211536.11611-2-mjg59@google.com> <1515413905.3460.40.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1515441353.3426.50.camel@linux.vnet.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Mon, 2018-01-08 at 11:45 -0800, Matthew Garrett wrote: > On Mon, Jan 8, 2018 at 4:18 AM, Mimi Zohar wrote: > > On Fri, 2018-01-05 at 13:15 -0800, Matthew Garrett wrote: > >> The existing BPRM_CHECK functionality in IMA validates against the > >> credentials of the existing process, not any new credentials that the > >> child process may transition to. Add an additional CREDS_CHECK target > >> and refactor IMA to pass the appropriate creds structure. In > >> ima_bprm_check(), check with both the existing process credentials and > >> the credentials that will be committed when the new process is started. > >> This will not change behaviour unless the system policy is extended to > >> include CREDS_CHECK targets - BPRM_CHECK will continue to check the same > >> credentials that it did previously. > > > > Refactoring IMA to pass the creds structure all the way down is a > > generic solution, but if the CREDS_CHECK rule is only being called > > from ima_bprm_check(), "container_of" the bprm->file returns a pointer > > to the bprm structure. Perhaps you could limit the amount of > > refactoring needed based on the func. > > Hm. This would avoid adding an argument to process_measurement(), but > we'd still need to pass additional information down through > ima_get_action() in order to get the creds and secid right. It feels a > little ugly to have process_measurement() recreate information rather > than having the caller pass it in, but I'm not going to object. Agreed. Initially, I was thinking that only ima_match_rules() would use container_of, but the very first thing process_measurement() does is get the inode from the file. Everything afterwards passes the inode. > > Could you include in the patch description a simple method for testing > > this change? > > Certainly. Thanks! Mimi