From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mimi Zohar <zohar@linux.vnet.ibm.com>,
"Dr. Greg Wettstein" <gw@idfusion.org>
Subject: [PATCH 3.14 12/44] ima: add support for new "euid" policy condition
Date: Fri, 14 Aug 2015 10:44:49 -0700 [thread overview]
Message-ID: <20150814174402.000755849@linuxfoundation.org> (raw)
In-Reply-To: <20150814174401.628233291@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
commit 139069eff7388407f19794384c42a534d618ccd7 upstream.
The new "euid" policy condition measures files with the specified
effective uid (euid). In addition, for CAP_SETUID files it measures
files with the specified uid or suid.
Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/ABI/testing/ima_policy | 3 ++-
security/integrity/ima/ima_policy.c | 27 +++++++++++++++++++++++----
2 files changed, 25 insertions(+), 5 deletions(-)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,7 +20,7 @@ Description:
action: measure | dont_measure | appraise | dont_appraise | audit
condition:= base | lsm [option]
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
- [fowner]]
+ [euid=] [fowner=]]
lsm: [[subj_user=] [subj_role=] [subj_type=]
[obj_user=] [obj_role=] [obj_type=]]
option: [[appraise_type=]] [permit_directio]
@@ -30,6 +30,7 @@ Description:
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
uid:= decimal value
+ euid:= decimal value
fowner:=decimal value
lsm: are LSM specific
option: appraise_type:= [imasig]
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -27,6 +27,7 @@
#define IMA_UID 0x0008
#define IMA_FOWNER 0x0010
#define IMA_FSUUID 0x0020
+#define IMA_EUID 0x0080
#define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */
@@ -179,6 +180,16 @@ static bool ima_match_rules(struct ima_r
return false;
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
return false;
+ if (rule->flags & IMA_EUID) {
+ if (has_capability_noaudit(current, CAP_SETUID)) {
+ if (!uid_eq(rule->uid, cred->euid)
+ && !uid_eq(rule->uid, cred->suid)
+ && !uid_eq(rule->uid, cred->uid))
+ return false;
+ } else if (!uid_eq(rule->uid, cred->euid))
+ return false;
+ }
+
if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
@@ -350,7 +361,8 @@ enum {
Opt_audit,
Opt_obj_user, Opt_obj_role, Opt_obj_type,
Opt_subj_user, Opt_subj_role, Opt_subj_type,
- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
+ Opt_func, Opt_mask, Opt_fsmagic,
+ Opt_uid, Opt_euid, Opt_fowner,
Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
};
@@ -371,6 +383,7 @@ static match_table_t policy_tokens = {
{Opt_fsmagic, "fsmagic=%s"},
{Opt_fsuuid, "fsuuid=%s"},
{Opt_uid, "uid=%s"},
+ {Opt_euid, "euid=%s"},
{Opt_fowner, "fowner=%s"},
{Opt_appraise_type, "appraise_type=%s"},
{Opt_permit_directio, "permit_directio"},
@@ -542,6 +555,9 @@ static int ima_parse_rule(char *rule, st
break;
case Opt_uid:
ima_log_string(ab, "uid", args[0].from);
+ case Opt_euid:
+ if (token == Opt_euid)
+ ima_log_string(ab, "euid", args[0].from);
if (uid_valid(entry->uid)) {
result = -EINVAL;
@@ -550,11 +566,14 @@ static int ima_parse_rule(char *rule, st
result = strict_strtoul(args[0].from, 10, &lnum);
if (!result) {
- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
+ entry->uid = make_kuid(current_user_ns(),
+ (uid_t) lnum);
+ if (!uid_valid(entry->uid) ||
+ (uid_t)lnum != lnum)
result = -EINVAL;
else
- entry->flags |= IMA_UID;
+ entry->flags |= (token == Opt_uid)
+ ? IMA_UID : IMA_EUID;
}
break;
case Opt_fowner:
next prev parent reply other threads:[~2015-08-14 17:53 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-14 17:44 [PATCH 3.14 00/44] 3.14.51-stable review Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 01/44] ARM: realview: fix sparsemem build Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 02/44] MIPS: Malta: Dont reinitialise RTC Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 03/44] MIPS: Fix sched_getaffinity with MT FPAFF enabled Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 04/44] MIPS: Make set_pte() SMP safe Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 05/44] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 06/44] drm/radeon/combios: add some validation of lvds values Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 07/44] ipr: Fix locking for unit attention handling Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 08/44] ipr: Fix incorrect trace indexing Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 09/44] ipr: Fix invalid array indexing for HRRQ Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 11/44] USB: sierra: add 1199:68AB device ID Greg Kroah-Hartman
2015-08-14 17:44 ` Greg Kroah-Hartman [this message]
2015-08-14 17:44 ` [PATCH 3.14 13/44] ima: extend "mask" policy matching support Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 14/44] md: use kzalloc() when bitmap is disabled Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 15/44] ARM: sunxi: fix build for THUMB2_KERNEL Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 16/44] [PATCH] sparc64: Fix userspace FPU register corruptions Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 17/44] ASoC: pcm1681: Fix setting de-emphasis sampling rate selection Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 18/44] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 20/44] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 21/44] rbd: fix copyup completion race Greg Kroah-Hartman
2015-08-14 17:44 ` [PATCH 3.14 22/44] ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 23/44] iscsi-target: Fix iscsit_start_kthreads failure OOPs Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 24/44] ALSA: hda - fix cs4210_spdif_automute() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 25/44] ipc: modify message queue accounting to not take kernel data structures into account Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 26/44] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 27/44] PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 28/44] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 29/44] sg_start_req(): make sure that theres not too many elements in iovec Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 30/44] signalfd: fix information leak in signalfd_copyinfo Greg Kroah-Hartman
2015-09-03 15:43 ` Luis Henriques
2015-08-14 17:45 ` [PATCH 3.14 31/44] signal: fix information leak in copy_siginfo_to_user Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 32/44] signal: fix information leak in copy_siginfo_from_user32 Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 33/44] fold d_kill() and d_free() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 34/44] fold try_prune_one_dentry() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 35/44] new helper: dentry_free() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 36/44] expand the call of dentry_lru_del() in dentry_kill() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 37/44] dentry_kill(): dont try to remove from shrink list Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 38/44] dont remove from shrink list in select_collect() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 39/44] more graceful recovery in umount_collect() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 40/44] dcache: dont need rcu in shrink_dentry_list() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 41/44] kvm: x86: fix kvm_apic_has_events to check for NULL pointer Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 42/44] path_openat(): fix double fput() Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 43/44] md/bitmap: return an error when bitmap superblock is corrupt Greg Kroah-Hartman
2015-08-14 17:45 ` [PATCH 3.14 44/44] mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations Greg Kroah-Hartman
2015-08-15 0:11 ` [PATCH 3.14 00/44] 3.14.51-stable review Shuah Khan
[not found] ` <55cf55dd.8c4cc20a.acdcb.49af@mx.google.com>
2015-08-15 15:10 ` Kevin Hilman
2015-08-15 16:41 ` Greg Kroah-Hartman
2015-08-15 15:17 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150814174402.000755849@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gw@idfusion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).