ima: add support for new "euid" policy condition

The new "euid" policy condition measures files with the specified
effective uid (euid).  In addition, for CAP_SETUID files it measures
files with the specified uid or suid.

Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 8ae3f57..4a571fa 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,7 +20,7 @@ Description:
                action: measure | dont_measure | appraise | dont_appraise | audit
                condition:= base | lsm  [option]
                        base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
-                                [fowner]]
+                               [euid=] [fowner=]]
                        lsm:    [[subj_user=] [subj_role=] [subj_type=]
                                 [obj_user=] [obj_role=] [obj_type=]]
                        option: [[appraise_type=]] [permit_directio]
@@ -31,6 +31,7 @@ Description:
                        fsmagic:= hex value
                        fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
                        uid:= decimal value
+                       euid:= decimal value
                        fowner:=decimal value
                lsm:    are LSM specific
                option: appraise_type:= [imasig]

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f2421f7..525301c 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -27,6 +27,7 @@
 #define IMA_UID                0x0008
 #define IMA_FOWNER     0x0010
 #define IMA_FSUUID     0x0020
+#define IMA_EUID       0x0080
 
 #define UNKNOWN                0
 #define MEASURE                0x0001  /* same as IMA_MEASURE */
@@ -194,6 +195,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
                return false;
        if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                return false;
+       if (rule->flags & IMA_EUID) {
+               if (has_capability_noaudit(current, CAP_SETUID)) {
+                       if (!uid_eq(rule->uid, cred->euid)
+                           && !uid_eq(rule->uid, cred->suid)
+                           && !uid_eq(rule->uid, cred->uid))
+                               return false;
+               } else if (!uid_eq(rule->uid, cred->euid))
+                       return false;
+       }
+
        if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
                return false;
        for (i = 0; i < MAX_LSM_RULES; i++) {
@@ -373,7 +384,8 @@ enum {
        Opt_audit,
        Opt_obj_user, Opt_obj_role, Opt_obj_type,
        Opt_subj_user, Opt_subj_role, Opt_subj_type,
-       Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
+       Opt_func, Opt_mask, Opt_fsmagic,
+       Opt_uid, Opt_euid, Opt_fowner,
        Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
 };
 
@@ -394,6 +406,7 @@ static match_table_t policy_tokens = {
        {Opt_fsmagic, "fsmagic=%s"},
        {Opt_fsuuid, "fsuuid=%s"},
        {Opt_uid, "uid=%s"},
+       {Opt_euid, "euid=%s"},
        {Opt_fowner, "fowner=%s"},
        {Opt_appraise_type, "appraise_type=%s"},
        {Opt_permit_directio, "permit_directio"},
@@ -566,6 +579,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        break;
                case Opt_uid:
                        ima_log_string(ab, "uid", args[0].from);
+               case Opt_euid:
+                       if (token == Opt_euid)
+                               ima_log_string(ab, "euid", args[0].from);
 
                        if (uid_valid(entry->uid)) {
                                result = -EINVAL;
@@ -574,11 +590,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 
                        result = kstrtoul(args[0].from, 10, &lnum);
                        if (!result) {
-                               entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
-                               if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
+                               entry->uid = make_kuid(current_user_ns(),
+                                                      (uid_t) lnum);
+                               if (!uid_valid(entry->uid) ||
+                                   (uid_t)lnum != lnum)
                                        result = -EINVAL;
                                else
-                                       entry->flags |= IMA_UID;
+                                       entry->flags |= (token == Opt_uid)
+                                           ? IMA_UID : IMA_EUID;
                        }
                        break;
                case Opt_fowner: