[PATCH openEuler-5.10 04/54] imans: Check CAP_SYS_ADMIN in userns associated with IMA NS during configuration.

From: Ajo Jose Panoor ajo.jose.panoor@huawei.com

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4JC4P CVE: NA

-----------------------------------------------------------------

Writing to securityfs (x509_for_children) fails with permission issues during IMANS configuration. It is because IMANS is checking for CAP_SYS_ADMIN capability in the initial user namespace and not in the newly created user namespace where the new process is actually part off.

Signed-off-by: Ajo Jose Panoor ajo.jose.panoor@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- security/integrity/ima/ima_fs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 00cd8095d346..b7959de25a5f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -637,12 +637,16 @@ static const struct file_operations ima_data_upload_ops = { static int ima_open_for_children(struct inode *inode, struct file *file) { struct ima_namespace *ima_ns = get_current_ns(); + struct ima_namespace *ima_ns_for_children = current->nsproxy->ima_ns_for_children;

/* Allow to set children configuration only after unshare() */ if (ima_ns == current->nsproxy->ima_ns_for_children) return -EPERM;

- return ima_open_simple(inode, file); + if (!ns_capable(ima_ns_for_children->user_ns, CAP_SYS_ADMIN)) + return -EPERM; + + return 0; }

static ssize_t ima_write_x509_for_children(struct file *file,