--- /dev/null
+From 139069eff7388407f19794384c42a534d618ccd7 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 5 Nov 2014 07:48:36 -0500
+Subject: ima: add support for new "euid" policy condition
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 139069eff7388407f19794384c42a534d618ccd7 upstream.
+
+The new "euid" policy condition measures files with the specified
+effective uid (euid). In addition, for CAP_SETUID files it measures
+files with the specified uid or suid.
+
+Changelog:
+- fixed checkpatch.pl warnings
+- fixed avc denied {setuid} messages - based on Roberto's feedback
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 3 ++-
+ security/integrity/ima/ima_policy.c | 27 +++++++++++++++++++++++----
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -20,7 +20,7 @@ Description:
+ action: measure | dont_measure | appraise | dont_appraise | audit
+ condition:= base | lsm [option]
+ base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
+- [fowner]]
++ [euid=] [fowner=]]
+ lsm: [[subj_user=] [subj_role=] [subj_type=]
+ [obj_user=] [obj_role=] [obj_type=]]
+ option: [[appraise_type=]] [permit_directio]
+@@ -30,6 +30,7 @@ Description:
+ fsmagic:= hex value
+ fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
+ uid:= decimal value
++ euid:= decimal value
+ fowner:=decimal value
+ lsm: are LSM specific
+ option: appraise_type:= [imasig]
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -27,6 +27,7 @@
+ #define IMA_UID 0x0008
+ #define IMA_FOWNER 0x0010
+ #define IMA_FSUUID 0x0020
++#define IMA_EUID 0x0080
+
+ #define UNKNOWN 0
+ #define MEASURE 0x0001 /* same as IMA_MEASURE */
+@@ -179,6 +180,16 @@ static bool ima_match_rules(struct ima_r
+ return false;
+ if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+ return false;
++ if (rule->flags & IMA_EUID) {
++ if (has_capability_noaudit(current, CAP_SETUID)) {
++ if (!uid_eq(rule->uid, cred->euid)
++ && !uid_eq(rule->uid, cred->suid)
++ && !uid_eq(rule->uid, cred->uid))
++ return false;
++ } else if (!uid_eq(rule->uid, cred->euid))
++ return false;
++ }
++
+ if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+ return false;
+ for (i = 0; i < MAX_LSM_RULES; i++) {
+@@ -350,7 +361,8 @@ enum {
+ Opt_audit,
+ Opt_obj_user, Opt_obj_role, Opt_obj_type,
+ Opt_subj_user, Opt_subj_role, Opt_subj_type,
+- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
++ Opt_func, Opt_mask, Opt_fsmagic,
++ Opt_uid, Opt_euid, Opt_fowner,
+ Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
+ };
+
+@@ -371,6 +383,7 @@ static match_table_t policy_tokens = {
+ {Opt_fsmagic, "fsmagic=%s"},
+ {Opt_fsuuid, "fsuuid=%s"},
+ {Opt_uid, "uid=%s"},
++ {Opt_euid, "euid=%s"},
+ {Opt_fowner, "fowner=%s"},
+ {Opt_appraise_type, "appraise_type=%s"},
+ {Opt_permit_directio, "permit_directio"},
+@@ -542,6 +555,9 @@ static int ima_parse_rule(char *rule, st
+ break;
+ case Opt_uid:
+ ima_log_string(ab, "uid", args[0].from);
++ case Opt_euid:
++ if (token == Opt_euid)
++ ima_log_string(ab, "euid", args[0].from);
+
+ if (uid_valid(entry->uid)) {
+ result = -EINVAL;
+@@ -550,11 +566,14 @@ static int ima_parse_rule(char *rule, st
+
+ result = strict_strtoul(args[0].from, 10, &lnum);
+ if (!result) {
+- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
+- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
++ entry->uid = make_kuid(current_user_ns(),
++ (uid_t) lnum);
++ if (!uid_valid(entry->uid) ||
++ (uid_t)lnum != lnum)
+ result = -EINVAL;
+ else
+- entry->flags |= IMA_UID;
++ entry->flags |= (token == Opt_uid)
++ ? IMA_UID : IMA_EUID;
+ }
+ break;
+ case Opt_fowner:
--- /dev/null
+From 4351c294b8c1028077280f761e158d167b592974 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 5 Nov 2014 07:53:55 -0500
+Subject: ima: extend "mask" policy matching support
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 4351c294b8c1028077280f761e158d167b592974 upstream.
+
+The current "mask" policy option matches files opened as MAY_READ,
+MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask"
+option to match files opened containing one of these modes. For
+example, "mask=^MAY_READ" would match files opened read-write.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 3 ++-
+ security/integrity/ima/ima_policy.c | 20 +++++++++++++++-----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -26,7 +26,8 @@ Description:
+ option: [[appraise_type=]] [permit_directio]
+
+ base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+- mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
++ mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
++ [[^]MAY_EXEC]
+ fsmagic:= hex value
+ fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
+ uid:= decimal value
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -27,6 +27,7 @@
+ #define IMA_UID 0x0008
+ #define IMA_FOWNER 0x0010
+ #define IMA_FSUUID 0x0020
++#define IMA_INMASK 0x0040
+ #define IMA_EUID 0x0080
+
+ #define UNKNOWN 0
+@@ -172,6 +173,9 @@ static bool ima_match_rules(struct ima_r
+ return false;
+ if ((rule->flags & IMA_MASK) && rule->mask != mask)
+ return false;
++ if ((rule->flags & IMA_INMASK) &&
++ (!(rule->mask & mask) && func != POST_SETATTR))
++ return false;
+ if ((rule->flags & IMA_FSMAGIC)
+ && rule->fsmagic != inode->i_sb->s_magic)
+ return false;
+@@ -425,6 +429,7 @@ static void ima_log_string(struct audit_
+ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ {
+ struct audit_buffer *ab;
++ char *from;
+ char *p;
+ int result = 0;
+
+@@ -513,18 +518,23 @@ static int ima_parse_rule(char *rule, st
+ if (entry->mask)
+ result = -EINVAL;
+
+- if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
++ from = args[0].from;
++ if (*from == '^')
++ from++;
++
++ if ((strcmp(from, "MAY_EXEC")) == 0)
+ entry->mask = MAY_EXEC;
+- else if (strcmp(args[0].from, "MAY_WRITE") == 0)
++ else if (strcmp(from, "MAY_WRITE") == 0)
+ entry->mask = MAY_WRITE;
+- else if (strcmp(args[0].from, "MAY_READ") == 0)
++ else if (strcmp(from, "MAY_READ") == 0)
+ entry->mask = MAY_READ;
+- else if (strcmp(args[0].from, "MAY_APPEND") == 0)
++ else if (strcmp(from, "MAY_APPEND") == 0)
+ entry->mask = MAY_APPEND;
+ else
+ result = -EINVAL;
+ if (!result)
+- entry->flags |= IMA_MASK;
++ entry->flags |= (*args[0].from == '^')
++ ? IMA_INMASK : IMA_MASK;
+ break;
+ case Opt_fsmagic:
+ ima_log_string(ab, "fsmagic", args[0].from);
projects / thirdparty / kernel / stable-queue.git / commitdiff
