mirror of
				https://github.com/linuxkit/linuxkit.git
				synced 2025-10-26 15:43:56 +00:00 
			
		
		
		
	This is a project with a v1 of the IMA namespacing patches. See the readme for details on use. Signed-off-by: Tycho Andersen <tycho@docker.com>
		
			
				
	
	
		
			62 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			62 lines
		
	
	
		
			1.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 0a3ac1bcf03b07940dff18ce29cd05ced91155c0 Mon Sep 17 00:00:00 2001
 | |
| From: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
 | |
| Date: Tue, 9 May 2017 17:19:57 -0300
 | |
| Subject: [PATCH 08/11] ima: block initial namespace id on the namespace policy
 | |
|  interface
 | |
| 
 | |
| The initial namespace policy is set through the existent interface
 | |
| in the ima/policy securityfs file. Block the initial namespace
 | |
| id when it is written to the ima/namespace securityfs file.
 | |
| 
 | |
| Signed-off-by: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
 | |
| ---
 | |
|  security/integrity/ima/ima_fs.c | 18 ++++++++++++++++++
 | |
|  1 file changed, 18 insertions(+)
 | |
| 
 | |
| diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
 | |
| index 61f8da1..65c43e7 100644
 | |
| --- a/security/integrity/ima/ima_fs.c
 | |
| +++ b/security/integrity/ima/ima_fs.c
 | |
| @@ -365,6 +365,16 @@ static int check_mntns(unsigned int ns_id)
 | |
|  	return result;
 | |
|  }
 | |
|  
 | |
| +static unsigned int initial_mntns_id;
 | |
| +static void get_initial_mntns_id(void)
 | |
| +{
 | |
| +	struct ns_common *ns;
 | |
| +
 | |
| +	ns = mntns_operations.get(&init_task);
 | |
| +	initial_mntns_id = ns->inum;
 | |
| +	mntns_operations.put(ns);
 | |
| +}
 | |
| +
 | |
|  /*
 | |
|   * ima_find_namespace_id_from_inode
 | |
|   * @policy_inode: the inode of the securityfs policy file for a given
 | |
| @@ -699,6 +709,12 @@ static ssize_t handle_new_namespace_policy(const char *data, size_t datalen)
 | |
|  		goto out;
 | |
|  	}
 | |
|  
 | |
| +	if (ns_id == initial_mntns_id) {
 | |
| +		pr_err("IMA: invalid use of the initial mount namespace\n");
 | |
| +		result = -EINVAL;
 | |
| +		goto out;
 | |
| +	}
 | |
| +
 | |
|  	ima_namespace_lock();
 | |
|  	if (check_mntns(ns_id)) {
 | |
|  		result = -ENOENT;
 | |
| @@ -835,6 +851,8 @@ int __init ima_fs_init(void)
 | |
|  						&ima_namespaces_ops);
 | |
|  	if (IS_ERR(ima_namespaces))
 | |
|  		goto out;
 | |
| +
 | |
| +	get_initial_mntns_id();
 | |
|  #endif
 | |
|  
 | |
|  	return 0;
 | |
| -- 
 | |
| 2.9.3
 | |
| 
 |