ima: add support for new "euid" policy condition
The new "euid" policy condition measures files with the specified effective uid (euid). In addition, for CAP_SETUID files it measures files with the specified uid or suid. Changelog: - fixed checkpatch.pl warnings - fixed avc denied {setuid} messages - based on Roberto's feedback Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Cc: stable@vger.kernel.org
This commit is contained in:
parent
45b26133b9
commit
139069eff7
@ -20,7 +20,7 @@ Description:
|
||||
action: measure | dont_measure | appraise | dont_appraise | audit
|
||||
condition:= base | lsm [option]
|
||||
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
|
||||
[fowner]]
|
||||
[euid=] [fowner=]]
|
||||
lsm: [[subj_user=] [subj_role=] [subj_type=]
|
||||
[obj_user=] [obj_role=] [obj_type=]]
|
||||
option: [[appraise_type=]] [permit_directio]
|
||||
@ -31,6 +31,7 @@ Description:
|
||||
fsmagic:= hex value
|
||||
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
|
||||
uid:= decimal value
|
||||
euid:= decimal value
|
||||
fowner:=decimal value
|
||||
lsm: are LSM specific
|
||||
option: appraise_type:= [imasig]
|
||||
|
@ -27,6 +27,7 @@
|
||||
#define IMA_UID 0x0008
|
||||
#define IMA_FOWNER 0x0010
|
||||
#define IMA_FSUUID 0x0020
|
||||
#define IMA_EUID 0x0080
|
||||
|
||||
#define UNKNOWN 0
|
||||
#define MEASURE 0x0001 /* same as IMA_MEASURE */
|
||||
@ -194,6 +195,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
|
||||
return false;
|
||||
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
|
||||
return false;
|
||||
if (rule->flags & IMA_EUID) {
|
||||
if (has_capability_noaudit(current, CAP_SETUID)) {
|
||||
if (!uid_eq(rule->uid, cred->euid)
|
||||
&& !uid_eq(rule->uid, cred->suid)
|
||||
&& !uid_eq(rule->uid, cred->uid))
|
||||
return false;
|
||||
} else if (!uid_eq(rule->uid, cred->euid))
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
|
||||
return false;
|
||||
for (i = 0; i < MAX_LSM_RULES; i++) {
|
||||
@ -373,7 +384,8 @@ enum {
|
||||
Opt_audit,
|
||||
Opt_obj_user, Opt_obj_role, Opt_obj_type,
|
||||
Opt_subj_user, Opt_subj_role, Opt_subj_type,
|
||||
Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
|
||||
Opt_func, Opt_mask, Opt_fsmagic,
|
||||
Opt_uid, Opt_euid, Opt_fowner,
|
||||
Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
|
||||
};
|
||||
|
||||
@ -394,6 +406,7 @@ static match_table_t policy_tokens = {
|
||||
{Opt_fsmagic, "fsmagic=%s"},
|
||||
{Opt_fsuuid, "fsuuid=%s"},
|
||||
{Opt_uid, "uid=%s"},
|
||||
{Opt_euid, "euid=%s"},
|
||||
{Opt_fowner, "fowner=%s"},
|
||||
{Opt_appraise_type, "appraise_type=%s"},
|
||||
{Opt_permit_directio, "permit_directio"},
|
||||
@ -566,6 +579,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
||||
break;
|
||||
case Opt_uid:
|
||||
ima_log_string(ab, "uid", args[0].from);
|
||||
case Opt_euid:
|
||||
if (token == Opt_euid)
|
||||
ima_log_string(ab, "euid", args[0].from);
|
||||
|
||||
if (uid_valid(entry->uid)) {
|
||||
result = -EINVAL;
|
||||
@ -574,11 +590,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
||||
|
||||
result = kstrtoul(args[0].from, 10, &lnum);
|
||||
if (!result) {
|
||||
entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
|
||||
if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
|
||||
entry->uid = make_kuid(current_user_ns(),
|
||||
(uid_t) lnum);
|
||||
if (!uid_valid(entry->uid) ||
|
||||
(uid_t)lnum != lnum)
|
||||
result = -EINVAL;
|
||||
else
|
||||
entry->flags |= IMA_UID;
|
||||
entry->flags |= (token == Opt_uid)
|
||||
? IMA_UID : IMA_EUID;
|
||||
}
|
||||
break;
|
||||
case Opt_fowner:
|
||||
|
Loading…
Reference in New Issue
Block a user