提交 603cc292 编写于 作者: K Krzysztof Struczynski 提交者: Zheng Zengkai

digest list: disable digest lists in non-root ima namespaces

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1
CVE: NA

--------------------------------

Disable digest list checks in non-root ima namespaces. Digest lists can
be re-enabled when they are namespaced.
Signed-off-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
Reviewed-by: NZhang Tianxing <zhangtianxing3@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 a847fd9b
......@@ -89,6 +89,9 @@ struct ima_digest *ima_lookup_digest(u8 *digest, enum hash_algo algo,
int digest_len = hash_digest_size[algo];
unsigned int key = ima_hash_key(digest);
if (&init_ima_ns != get_current_ns())
return NULL;
rcu_read_lock();
hlist_for_each_entry_rcu(d, &ima_digests_htable.queue[key], hnext)
if (d->algo == algo && d->type == type &&
......@@ -167,6 +170,9 @@ int ima_parse_compact_list(loff_t size, void *buf, int op)
size_t digest_len;
int ret = 0, i;
if (&init_ima_ns != get_current_ns())
return -EACCES;
if (!(ima_digest_list_actions & init_policy_data.ima_policy_flag))
return -EACCES;
......@@ -239,6 +245,9 @@ void ima_check_measured_appraised(struct file *file)
{
struct integrity_iint_cache *iint;
if (&init_ima_ns != get_current_ns())
return;
if (!ima_digest_list_actions)
return;
......@@ -275,6 +284,9 @@ void ima_check_measured_appraised(struct file *file)
struct ima_digest *ima_digest_allow(struct ima_digest *digest, int action)
{
if (&init_ima_ns != get_current_ns())
return NULL;
if (!(ima_digest_list_actions & action))
return NULL;
......
......@@ -60,11 +60,17 @@ static int valid_policy = 1;
static int ima_open_simple(struct inode *inode, struct file *file)
{
struct dentry *dentry = file_dentry(file);
struct ima_namespace *ima_ns = get_current_ns();
if (!ns_capable(ima_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (dentry == digests_count) {
if (&init_ima_ns != get_current_ns())
return -EACCES;
}
return 0;
}
......@@ -552,9 +558,12 @@ static int ima_open_data_upload(struct inode *inode, struct file *filp)
if (test_and_set_bit(flag, &ima_fs_flags))
return -EBUSY;
if (dentry == digest_list_data || dentry == digest_list_data_del)
if (dentry == digest_list_data || dentry == digest_list_data_del) {
if (&init_ima_ns != get_current_ns())
return -EACCES;
if (ima_check_current_is_parser())
ima_set_parser();
}
return 0;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
反馈
建议
客服 返回
顶部