diff options
author | Kevin Hilman <khilman@linaro.org> | 2015-09-14 14:20:38 -0700 |
---|---|---|
committer | Kevin Hilman <khilman@linaro.org> | 2015-09-14 14:20:38 -0700 |
commit | 705e0fe41b54f2dea954ebd692a870a36b04ce76 (patch) | |
tree | dc1c9e774d068ffac89fc9851c921c61cf44677d /security/integrity/ima/ima_policy.c | |
parent | 373cea9e2c9c6495a80efdae55cf2114f384a75b (diff) | |
parent | c765e5c15e7d23d2b8b37fafdafc63c0ea75fabf (diff) |
Merge branch 'linux-linaro-lsk-v3.14' into linux-linaro-lsk-v3.14-rtlsk-v3.14-16.03-rtlsk-v3.14-16.02-rtlsk-v3.14-16.01-rtlsk-v3.14-15.12-rtlsk-v3.14-15.11-rtlsk-v3.14-15.10-rtlsk-v3.14-15.09-rtlinux-linaro-lsk-v3.14-rt
* linux-linaro-lsk-v3.14: (66 commits)
Linux 3.14.52
arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
SCSI: Fix NULL pointer dereference in runtime PM
arm64/mm: Remove hack in mmap randomize layout
crypto: caam - fix memory corruption in ahash_final_ctx
regmap: regcache-rbtree: Clean new present bits on present bitmap resize
libfc: Fix fc_fcp_cleanup_each_cmd()
libfc: Fix fc_exch_recv_req() error path
drm/vmwgfx: Fix execbuf locking issues
drm/radeon: add new OLAND pci id
EDAC, ppc4xx: Access mci->csrows array elements properly
localmodconfig: Use Kbuild files too
dm thin metadata: delete btrees when releasing metadata snapshot
perf: Fix PERF_EVENT_IOC_PERIOD migration race
perf: Fix fasync handling on inherited events
xen-blkfront: don't add indirect pages to list when !feature_persistent
mm/hwpoison: fix page refcount of unknown non LRU page
ipc/sem.c: update/correct memory barriers
ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits
arm64: el0_dbg does not set link reg for return to user path, breaks debug
...
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
-rw-r--r-- | security/integrity/ima/ima_policy.c | 47 |
1 files changed, 38 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 085c4964be99..9d8e420a80d9 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -27,6 +27,8 @@ #define IMA_UID 0x0008 #define IMA_FOWNER 0x0010 #define IMA_FSUUID 0x0020 +#define IMA_INMASK 0x0040 +#define IMA_EUID 0x0080 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -171,6 +173,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; if ((rule->flags & IMA_MASK) && rule->mask != mask) return false; + if ((rule->flags & IMA_INMASK) && + (!(rule->mask & mask) && func != POST_SETATTR)) + return false; if ((rule->flags & IMA_FSMAGIC) && rule->fsmagic != inode->i_sb->s_magic) return false; @@ -179,6 +184,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) return false; + if (rule->flags & IMA_EUID) { + if (has_capability_noaudit(current, CAP_SETUID)) { + if (!uid_eq(rule->uid, cred->euid) + && !uid_eq(rule->uid, cred->suid) + && !uid_eq(rule->uid, cred->uid)) + return false; + } else if (!uid_eq(rule->uid, cred->euid)) + return false; + } + if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) return false; for (i = 0; i < MAX_LSM_RULES; i++) { @@ -350,7 +365,8 @@ enum { Opt_audit, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, - Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, + Opt_func, Opt_mask, Opt_fsmagic, + Opt_uid, Opt_euid, Opt_fowner, Opt_appraise_type, Opt_fsuuid, Opt_permit_directio }; @@ -371,6 +387,7 @@ static match_table_t policy_tokens = { {Opt_fsmagic, "fsmagic=%s"}, {Opt_fsuuid, "fsuuid=%s"}, {Opt_uid, "uid=%s"}, + {Opt_euid, "euid=%s"}, {Opt_fowner, "fowner=%s"}, {Opt_appraise_type, "appraise_type=%s"}, {Opt_permit_directio, "permit_directio"}, @@ -412,6 +429,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value) static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) { struct audit_buffer *ab; + char *from; char *p; int result = 0; @@ -500,18 +518,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (entry->mask) result = -EINVAL; - if ((strcmp(args[0].from, "MAY_EXEC")) == 0) + from = args[0].from; + if (*from == '^') + from++; + + if ((strcmp(from, "MAY_EXEC")) == 0) entry->mask = MAY_EXEC; - else if (strcmp(args[0].from, "MAY_WRITE") == 0) + else if (strcmp(from, "MAY_WRITE") == 0) entry->mask = MAY_WRITE; - else if (strcmp(args[0].from, "MAY_READ") == 0) + else if (strcmp(from, "MAY_READ") == 0) entry->mask = MAY_READ; - else if (strcmp(args[0].from, "MAY_APPEND") == 0) + else if (strcmp(from, "MAY_APPEND") == 0) entry->mask = MAY_APPEND; else result = -EINVAL; if (!result) - entry->flags |= IMA_MASK; + entry->flags |= (*args[0].from == '^') + ? IMA_INMASK : IMA_MASK; break; case Opt_fsmagic: ima_log_string(ab, "fsmagic", args[0].from); @@ -542,6 +565,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) break; case Opt_uid: ima_log_string(ab, "uid", args[0].from); + case Opt_euid: + if (token == Opt_euid) + ima_log_string(ab, "euid", args[0].from); if (uid_valid(entry->uid)) { result = -EINVAL; @@ -550,11 +576,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) result = strict_strtoul(args[0].from, 10, &lnum); if (!result) { - entry->uid = make_kuid(current_user_ns(), (uid_t)lnum); - if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum)) + entry->uid = make_kuid(current_user_ns(), + (uid_t) lnum); + if (!uid_valid(entry->uid) || + (uid_t)lnum != lnum) result = -EINVAL; else - entry->flags |= IMA_UID; + entry->flags |= (token == Opt_uid) + ? IMA_UID : IMA_EUID; } break; case Opt_fowner: |