Re: [PATCH v2 2/7] ima: Define new template fields iuid and igid

From: Christian Brauner
Date: Fri May 28 2021 - 04:25:18 EST

Next message: Srinivas Kandagatla: "Re: [PATCH 1/2] nvmem: core: constify nvmem_cell_read_variable_common() return value"
Previous message: Alex Ghiti: "Re: [PATCH v2] riscv: Map the kernel with correct permissions the first time"
In reply to: Roberto Sassu: "[PATCH v2 2/7] ima: Define new template fields iuid and igid"
Next in thread: Roberto Sassu: "[PATCH v2 3/7] ima: Define new template field imode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 28, 2021 at 09:38:07AM +0200, Roberto Sassu wrote:
> This patch defines the new template fields iuid and igid, which include
> respectively the inode UID and GID. For idmapped mounts, still the original
> UID and GID are provided.
>
> These fields can be used to verify the EVM portable signature, if it was
> included with the template fields sig or evmsig.
>
> Cc: Christian Brauner <christian.brauner@xxxxxxxxxx>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---

That's fine with me. Thanks, Robert!
Acked-by: Christian Brauner <christian.brauner@xxxxxxxxxx>

> Documentation/security/IMA-templates.rst | 2 +
> security/integrity/ima/ima_template.c | 4 ++
> security/integrity/ima/ima_template_lib.c | 45 +++++++++++++++++++++++
> security/integrity/ima/ima_template_lib.h | 4 ++
> 4 files changed, 55 insertions(+)
>
> diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
> index 9f3e86ab028a..bf8ce4cf5878 100644
> --- a/Documentation/security/IMA-templates.rst
> +++ b/Documentation/security/IMA-templates.rst
> @@ -75,6 +75,8 @@ descriptors by adding their identifier to the format string
> - 'modsig' the appended file signature;
> - 'buf': the buffer data that was used to generate the hash without size limitations;
> - 'evmsig': the EVM portable signature;
> + - 'iuid': the inode UID;
> + - 'igid': the inode GID;
>
>
> Below, there is the list of defined template descriptors:
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index 7a60848c04a5..a5ecd9e2581b 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -47,6 +47,10 @@ static const struct ima_template_field supported_fields[] = {
> .field_show = ima_show_template_sig},
> {.field_id = "evmsig", .field_init = ima_eventevmsig_init,
> .field_show = ima_show_template_sig},
> + {.field_id = "iuid", .field_init = ima_eventinodeuid_init,
> + .field_show = ima_show_template_uint},
> + {.field_id = "igid", .field_init = ima_eventinodegid_init,
> + .field_show = ima_show_template_uint},
> };
>
> /*
> diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
> index f23296c33da1..87b40f391739 100644
> --- a/security/integrity/ima/ima_template_lib.c
> +++ b/security/integrity/ima/ima_template_lib.c
> @@ -551,3 +551,48 @@ int ima_eventevmsig_init(struct ima_event_data *event_data,
> kfree(xattr_data);
> return rc;
> }
> +
> +static int ima_eventinodedac_init_common(struct ima_event_data *event_data,
> + struct ima_field_data *field_data,
> + bool get_uid)
> +{
> + unsigned int id;
> +
> + if (!event_data->file)
> + return 0;
> +
> + if (get_uid)
> + id = i_uid_read(file_inode(event_data->file));
> + else
> + id = i_gid_read(file_inode(event_data->file));
> +
> + if (ima_canonical_fmt) {
> + if (sizeof(id) == sizeof(u16))
> + id = cpu_to_le16(id);
> + else
> + id = cpu_to_le32(id);
> + }
> +
> + return ima_write_template_field_data((void *)&id, sizeof(id),
> + DATA_FMT_UINT, field_data);
> +}
> +
> +/*
> + * ima_eventinodeuid_init - include the inode UID as part of the template
> + * data
> + */
> +int ima_eventinodeuid_init(struct ima_event_data *event_data,
> + struct ima_field_data *field_data)
> +{
> + return ima_eventinodedac_init_common(event_data, field_data, true);
> +}
> +
> +/*
> + * ima_eventinodegid_init - include the inode GID as part of the template
> + * data
> + */
> +int ima_eventinodegid_init(struct ima_event_data *event_data,
> + struct ima_field_data *field_data)
> +{
> + return ima_eventinodedac_init_common(event_data, field_data, false);
> +}
> diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
> index 54b67c80b315..b0aaf109f386 100644
> --- a/security/integrity/ima/ima_template_lib.h
> +++ b/security/integrity/ima/ima_template_lib.h
> @@ -50,4 +50,8 @@ int ima_eventmodsig_init(struct ima_event_data *event_data,
> struct ima_field_data *field_data);
> int ima_eventevmsig_init(struct ima_event_data *event_data,
> struct ima_field_data *field_data);
> +int ima_eventinodeuid_init(struct ima_event_data *event_data,
> + struct ima_field_data *field_data);
> +int ima_eventinodegid_init(struct ima_event_data *event_data,
> + struct ima_field_data *field_data);
> #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
> --
> 2.25.1
>

Next message: Srinivas Kandagatla: "Re: [PATCH 1/2] nvmem: core: constify nvmem_cell_read_variable_common() return value"
Previous message: Alex Ghiti: "Re: [PATCH v2] riscv: Map the kernel with correct permissions the first time"
In reply to: Roberto Sassu: "[PATCH v2 2/7] ima: Define new template fields iuid and igid"
Next in thread: Roberto Sassu: "[PATCH v2 3/7] ima: Define new template field imode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]