On Wed, Apr 20, 2022 at 10:06:18AM -0400, Stefan Berger wrote: > Define mac_admin_ns_capable() as a wrapper for the combined ns_capable() > checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return > true on the check if either capability or both are available. > > Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will allow > an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has > less privileges than CAP_SYS_ADMIN. > > Since CAP_MAC_ADMIN is an additional capability added to an existing gate > avoid auditing in case it is not set. It would probably be best to become a user of https://lore.kernel.org/all/20220217145003.78982-2-cgzones@xxxxxxxxxxxxxx/ when that lands. > Signed-off-by: Denis Semakin <denis.semakin@xxxxxxxxxx> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > --- > v11: > - use ns_capable_noaudit for CAP_MAC_ADMIN to avoid auditing in this case > --- > include/linux/capability.h | 6 ++++++ > security/integrity/ima/ima.h | 6 ++++++ > security/integrity/ima/ima_fs.c | 5 ++++- > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index 65efb74c3585..dc3e1230b365 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) > ns_capable(ns, CAP_SYS_ADMIN); > } > > +static inline bool mac_admin_ns_capable(struct user_namespace *ns) > +{ > + return ns_capable_noaudit(ns, CAP_MAC_ADMIN) || > + ns_capable(ns, CAP_SYS_ADMIN); > +} > + > /* audit system wants to get cap info from files as well */ > int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, > const struct dentry *dentry, > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index 5bf7f080c2be..626a6ce2453c 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -491,4 +491,10 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, > #define POLICY_FILE_FLAGS S_IWUSR > #endif /* CONFIG_IMA_READ_POLICY */ > > +static inline > +struct user_namespace *ima_user_ns_from_file(const struct file *filp) > +{ > + return file_inode(filp)->i_sb->s_user_ns; > +} include/linux/fs.h has file_mnt_user_ns(). Maybe you should add a file_sb_user_ns() next to that? > + > #endif /* __LINUX_IMA_H */ > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 89d3113ceda1..c41aa61b7393 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -377,6 +377,9 @@ static const struct seq_operations ima_policy_seqops = { > */ > static int ima_open_policy(struct inode *inode, struct file *filp) > { > +#ifdef CONFIG_IMA_READ_POLICY > + struct user_namespace *user_ns = ima_user_ns_from_file(filp); > +#endif > struct ima_namespace *ns = &init_ima_ns; > > if (!(filp->f_flags & O_WRONLY)) { > @@ -385,7 +388,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) > #else > if ((filp->f_flags & O_ACCMODE) != O_RDONLY) > return -EACCES; > - if (!capable(CAP_SYS_ADMIN)) > + if (!mac_admin_ns_capable(user_ns)) > return -EPERM; > return seq_open(filp, &ima_policy_seqops); > #endif > -- > 2.34.1
