diff options
author | Christian Brauner <christian.brauner@ubuntu.com> | 2021-01-21 14:19:45 +0100 |
---|---|---|
committer | Christian Brauner <christian.brauner@ubuntu.com> | 2021-01-24 14:27:20 +0100 |
commit | a2d2329e30e224ea68d575d2525b866df9805ea0 (patch) | |
tree | 5c56b6472bcb77840030918e5d0ea28077762365 /security/integrity/ima/ima_api.c | |
parent | 3cee6079f62f4d3a37d9dda2e0851677e08028ff (diff) | |
download | lwn-a2d2329e30e224ea68d575d2525b866df9805ea0.tar.gz lwn-a2d2329e30e224ea68d575d2525b866df9805ea0.zip |
ima: handle idmapped mounts
IMA does sometimes access the inode's i_uid and compares it against the
rules' fowner. Enable IMA to handle idmapped mounts by passing down the
mount's user namespace. We simply make use of the helpers we introduced
before. If the initial user namespace is passed nothing changes so
non-idmapped mounts will see identical behavior as before.
Link: https://lore.kernel.org/r/20210121131959.646623-27-christian.brauner@ubuntu.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Diffstat (limited to 'security/integrity/ima/ima_api.c')
-rw-r--r-- | security/integrity/ima/ima_api.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 4f39fb93f278..ed410efb3597 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -162,6 +162,7 @@ err_out: /** * ima_get_action - appraise & measure decision based on policy. + * @mnt_userns: user namespace of the mount the inode was found from * @inode: pointer to the inode associated with the object being validated * @cred: pointer to credentials structure to validate * @secid: secid of the task being validated @@ -183,8 +184,9 @@ err_out: * Returns IMA_MEASURE, IMA_APPRAISE mask. * */ -int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, - int mask, enum ima_hooks func, int *pcr, +int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, + const struct cred *cred, u32 secid, int mask, + enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, const char *keyring) { @@ -192,8 +194,8 @@ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, flags &= ima_policy_flag; - return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc, keyring); + return ima_match_policy(mnt_userns, inode, cred, secid, func, mask, + flags, pcr, template_desc, keyring); } /* |