From: Krzysztof Struczynski krzysztof.struczynski@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA
--------------------------------
Disable digest list checks in non-root ima namespaces. Digest lists can be re-enabled when they are namespaced.
Signed-off-by: Krzysztof Struczynski krzysztof.struczynski@huawei.com Reviewed-by: Zhang Tianxing zhangtianxing3@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- security/integrity/ima/ima_digest_list.c | 12 ++++++++++++ security/integrity/ima/ima_fs.c | 11 ++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_digest_list.c b/security/integrity/ima/ima_digest_list.c index 74b08c3a3c81..3ffaffe8d064 100644 --- a/security/integrity/ima/ima_digest_list.c +++ b/security/integrity/ima/ima_digest_list.c @@ -89,6 +89,9 @@ struct ima_digest *ima_lookup_digest(u8 *digest, enum hash_algo algo, int digest_len = hash_digest_size[algo]; unsigned int key = ima_hash_key(digest);
+ if (&init_ima_ns != get_current_ns()) + return NULL; + rcu_read_lock(); hlist_for_each_entry_rcu(d, &ima_digests_htable.queue[key], hnext) if (d->algo == algo && d->type == type && @@ -167,6 +170,9 @@ int ima_parse_compact_list(loff_t size, void *buf, int op) size_t digest_len; int ret = 0, i;
+ if (&init_ima_ns != get_current_ns()) + return -EACCES; + if (!(ima_digest_list_actions & init_policy_data.ima_policy_flag)) return -EACCES;
@@ -239,6 +245,9 @@ void ima_check_measured_appraised(struct file *file) { struct integrity_iint_cache *iint;
+ if (&init_ima_ns != get_current_ns()) + return; + if (!ima_digest_list_actions) return;
@@ -275,6 +284,9 @@ void ima_check_measured_appraised(struct file *file)
struct ima_digest *ima_digest_allow(struct ima_digest *digest, int action) { + if (&init_ima_ns != get_current_ns()) + return NULL; + if (!(ima_digest_list_actions & action)) return NULL;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 6738cfc5a3dd..dd0b0f431a23 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -60,11 +60,17 @@ static int valid_policy = 1;
static int ima_open_simple(struct inode *inode, struct file *file) { + struct dentry *dentry = file_dentry(file); struct ima_namespace *ima_ns = get_current_ns();
if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN)) return -EPERM;
+ if (dentry == digests_count) { + if (&init_ima_ns != get_current_ns()) + return -EACCES; + } + return 0; }
@@ -552,9 +558,12 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp) if (test_and_set_bit(flag, &ima_fs_flags)) return -EBUSY;
- if (dentry == digest_list_data || dentry == digest_list_data_del) + if (dentry == digest_list_data || dentry == digest_list_data_del) { + if (&init_ima_ns != get_current_ns()) + return -EACCES; if (ima_check_current_is_parser()) ima_set_parser(); + }
return 0; }