diff options
author | Christian Brauner <christian.brauner@ubuntu.com> | 2021-01-21 16:19:45 +0300 |
---|---|---|
committer | Christian Brauner <christian.brauner@ubuntu.com> | 2021-01-24 16:27:20 +0300 |
commit | a2d2329e30e224ea68d575d2525b866df9805ea0 (patch) | |
tree | 5c56b6472bcb77840030918e5d0ea28077762365 /security/integrity/ima/ima_asymmetric_keys.c | |
parent | 3cee6079f62f4d3a37d9dda2e0851677e08028ff (diff) | |
download | linux-a2d2329e30e224ea68d575d2525b866df9805ea0.tar.xz |
ima: handle idmapped mounts
IMA does sometimes access the inode's i_uid and compares it against the
rules' fowner. Enable IMA to handle idmapped mounts by passing down the
mount's user namespace. We simply make use of the helpers we introduced
before. If the initial user namespace is passed nothing changes so
non-idmapped mounts will see identical behavior as before.
Link: https://lore.kernel.org/r/20210121131959.646623-27-christian.brauner@ubuntu.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Diffstat (limited to 'security/integrity/ima/ima_asymmetric_keys.c')
-rw-r--r-- | security/integrity/ima/ima_asymmetric_keys.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index 1c68c500c26f..c4ef69100789 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -10,6 +10,7 @@ */ #include <keys/asymmetric-type.h> +#include <linux/user_namespace.h> #include "ima.h" /** @@ -58,7 +59,7 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, * if the IMA policy is configured to measure a key linked * to the given keyring. */ - process_buffer_measurement(NULL, payload, payload_len, + process_buffer_measurement(&init_user_ns, NULL, payload, payload_len, keyring->description, KEY_CHECK, 0, keyring->description); } |