From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Alex Henrie <alexh@vpitech.com>,
linux-integrity@vger.kernel.org, alexhenrie24@gmail.com,
Curtis Veit <veit@vpieng.com>
Subject: Re: [PATCH v2] ima: add gid support
Date: Thu, 7 Oct 2021 11:34:40 +0200 [thread overview]
Message-ID: <YV6/MBZzZ5GS+MCv@pevik> (raw)
In-Reply-To: <81863154aebf9d3e023bd37acca8ff265a187fd0.camel@linux.ibm.com>
Hi Alex, Mimi,
> Hi Alex,
> On Mon, 2021-10-04 at 18:32 -0600, Alex Henrie wrote:
> > From: Curtis Veit <veit@vpieng.com>
> > IMA currently supports the concept of rules based on uid where the rule
> > is based on the uid of the file owner or the uid of the user accessing
> > the file. It is useful to have similar rules based on gid. This patch
> > provides that ability.
> > Signed-off-by: Curtis Veit <veit@vpieng.com>
> > Co-developed-by: Alex Henrie <alexh@vpitech.com>
> > Signed-off-by: Alex Henrie <alexh@vpitech.com>
> > ---
> > v2: Trivial changes that Mimi requested
> Sorry, scripts/check-patch.pl reported some warnings. Two more trivial changes.
> > ---
> > Documentation/ABI/testing/ima_policy | 8 +-
> > security/integrity/ima/ima_policy.c | 201 +++++++++++++++++++++++----
> > 2 files changed, 180 insertions(+), 29 deletions(-)
> > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> > index 5c2798534950..e1a04bd3b9e5 100644
> > --- a/Documentation/ABI/testing/ima_policy
> > @@ -78,9 +81,13 @@ struct ima_rule_entry {
> > unsigned long fsmagic;
> > uuid_t fsuuid;
> > kuid_t uid;
> > + kgid_t gid;
> > kuid_t fowner;
> > + kgid_t fgroup;
> > bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
> > + bool (*gid_op)(kgid_t, kgid_t);
> > bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
> > + bool (*fgroup_op)(kgid_t, kgid_t); /* gid_eq(), gid_gt(), gid_lt() */
> scripts/checkpatch.pl complains about missing variables.
+1
> > int pcr;
> > unsigned int allowed_algos; /* bitfield of allowed hash algorithms */
> > struct {
> > @@ -582,10 +590,23 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> > } else if (!rule->uid_op(cred->euid, rule->uid))
> > return false;
> > }
> > -
> > + if ((rule->flags & IMA_GID) && !rule->gid_op(rule->gid, cred->gid))
> All of uid_op/gid_op calls in ima_match_rules() pass the "cred->xxxx,
> rule->xxx" except here, where it is rule->gid, cred->rule. Reversing
> the parameters here will help with addressing the checkpatch.pl
> warning.
+1
Apart from those checkpatch issues patch LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
> thanks,
> Mimi
next prev parent reply other threads:[~2021-10-07 9:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-05 0:32 [PATCH v2] ima: add gid support Alex Henrie
2021-10-06 19:49 ` Mimi Zohar
2021-10-07 9:34 ` Petr Vorel [this message]
2021-10-07 19:41 ` Alex Henrie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YV6/MBZzZ5GS+MCv@pevik \
--to=pvorel@suse.cz \
--cc=alexh@vpitech.com \
--cc=alexhenrie24@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=veit@vpieng.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox