> From: Lakshmi Ramasubramanian [mailto:nramas@xxxxxxxxxxxxxxxxxxx] > Sent: Tuesday, July 6, 2021 9:30 PM > On 7/5/2021 4:56 AM, Roberto Sassu wrote: > > Hi Roberto, > > > This patch makes the 'euid' keyword available for buffer measurement rules, > > in the same way as for other rules. Currently, there is only support for > > the 'uid' keyword. > > > > With this change, buffer measurement (or non-measurement) can depend > also > > on the process effective UID. > > Who (kernel component) will be using this? Hi Lakshmi I'm using it in a (not yet submitted) test for digest lists. It is in a dont_measure rule to try to unload a digest list without measurement and to check that this is not allowed if the digest list was measured at addition time (to ensure completeness of information). > Maybe you could make this change as part of the patch set in which the > above "euid" support will be used. I wanted to send the digest lists patch set without anything else. I could resend the patch as part of that patch set if it is preferred. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > thanks, > -lakshmi > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > --- > > security/integrity/ima/ima_policy.c | 12 +++++++++++- > > 1 file changed, 11 insertions(+), 1 deletion(-) > > > > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > > index fd5d46e511f1..fdaa030fb04b 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -480,6 +480,16 @@ static bool ima_match_rule_data(struct > ima_rule_entry *rule, > > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) > > return false; > > > > + if (rule->flags & IMA_EUID) { > > + if (has_capability_noaudit(current, CAP_SETUID)) { > > + if (!rule->uid_op(cred->euid, rule->uid) > > + && !rule->uid_op(cred->suid, rule->uid) > > + && !rule->uid_op(cred->uid, rule->uid)) > > + return false; > > + } else if (!rule->uid_op(cred->euid, rule->uid)) > > + return false; > > + } > > + > > switch (rule->func) { > > case KEY_CHECK: > > if (!rule->keyrings) > > @@ -1153,7 +1163,7 @@ static bool ima_validate_rule(struct > ima_rule_entry *entry) > > if (entry->action & ~(MEASURE | DONT_MEASURE)) > > return false; > > > > - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | > > + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_EUID | > IMA_PCR | > > IMA_LABEL)) > > return false; > > > >
