On Mon, Jan 8, 2018 at 4:18 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Fri, 2018-01-05 at 13:15 -0800, Matthew Garrett wrote: >> The existing BPRM_CHECK functionality in IMA validates against the >> credentials of the existing process, not any new credentials that the >> child process may transition to. Add an additional CREDS_CHECK target >> and refactor IMA to pass the appropriate creds structure. In >> ima_bprm_check(), check with both the existing process credentials and >> the credentials that will be committed when the new process is started. >> This will not change behaviour unless the system policy is extended to >> include CREDS_CHECK targets - BPRM_CHECK will continue to check the same >> credentials that it did previously. > > Refactoring IMA to pass the creds structure all the way down is a > generic solution, but if the CREDS_CHECK rule is only being called > from ima_bprm_check(), "container_of" the bprm->file returns a pointer > to the bprm structure. Perhaps you could limit the amount of > refactoring needed based on the func. Hm. This would avoid adding an argument to process_measurement(), but we'd still need to pass additional information down through ima_get_action() in order to get the creds and secid right. It feels a little ugly to have process_measurement() recreate information rather than having the caller pass it in, but I'm not going to object. > Could you include in the patch description a simple method for testing > this change? Certainly.
