Re: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy

From: Christian Brauner
Date: Wed Jan 19 2022 - 04:24:09 EST


On Tue, Jan 18, 2022 at 11:31:29AM -0500, Stefan Berger wrote:
>
> On 1/14/22 08:45, Christian Brauner wrote:
> > On Tue, Jan 04, 2022 at 12:04:15PM -0500, Stefan Berger wrote:
> > > From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > >
> > > Show the uid and gid values of the owning user namespace when displaying
> > > the IMA policy rather than the kernel uid and gid values. Now the same uid
> > > and gid values are shown in the policy as those that were used when the
> > > policy was set.
> > >
> > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > > ---
> > > security/integrity/ima/ima_policy.c | 19 +++++++++++++------
> > > 1 file changed, 13 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > > index 15c68dc5da9e..b7dbc687b6ff 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> > > @@ -1997,6 +1997,7 @@ static void ima_policy_show_appraise_algos(struct seq_file *m,
> > > int ima_policy_show(struct seq_file *m, void *v)
> > > {
> > > + struct user_namespace *user_ns = ima_user_ns_from_file(m->file);
> > Hm, so when looking at the policy entries via seq_file's .show method
> > and displaying the {g,u}id values of the rules we don't want the values
> > resolved according to the user namespace the securityfs instances was
> > mounted in. That would be misleading for callers that are in an
> > ancestor userns (which we allow in .permission).
> >
> > So we want to make sure that we see the values as the opener of the file
> > would see them. This is similar to e.g. looking at a task's ids through
> > /proc/<pid>/status. So this should be seq_user_ns(m) instead of
> > ima_user_ns_from_file().
> > > struct ima_rule_entry *entry = v;
> > > int i;
> > > char tbuf[64] = {0,};
> > > @@ -2074,7 +2075,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> > > }
> > > if (entry->flags & IMA_UID) {
> > > - snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid));
> > > + snprintf(tbuf, sizeof(tbuf),
> > > + "%d", from_kuid(user_ns, entry->uid));
> > This should be from_k{g,u}id_munged().
>
> Thanks, fixed.
>
> When I run a runc container as uid=1000 I see uid = 0 when inside the
> container and when entering its mount namespace from root account via
> nsenter it shows 'uid = 1000' while before it was showing 'uid = 0'.

Yes, when you're only entering the mountns you should see uid 1000 as
that's what that {g,u}id is mapped to in your namespace and you've
opened __and read__ that file from the same namespace.

(Now, if you were to open that fd and send it back to a process running
in the container and that process does the read it would still see 1000.
But that's ok, because we care about the opener's creds.)