• Matthew Garrett's avatar
    IMA: Support using new creds in appraisal policy · d906c10d
    Matthew Garrett authored
    The existing BPRM_CHECK functionality in IMA validates against the
    credentials of the existing process, not any new credentials that the
    child process may transition to. Add an additional CREDS_CHECK target
    and refactor IMA to pass the appropriate creds structure. In
    ima_bprm_check(), check with both the existing process credentials and
    the credentials that will be committed when the new process is started.
    This will not change behaviour unless the system policy is extended to
    include CREDS_CHECK targets - BPRM_CHECK will continue to check the same
    credentials that it did previously.
    
    After this patch, an IMA policy rule along the lines of:
    
    measure func=CREDS_CHECK subj_type=unconfined_t
    
    will trigger if a process is executed and runs as unconfined_t, ignoring
    the context of the parent process. This is in contrast to:
    
    measure func=BPRM_CHECK subj_type=unconfined_t
    
    which will trigger if the process that calls exec() is already executing
    in unconfined_t, ignoring the context that the child process executes
    into.
    Signed-off-by: 's avatarMatthew Garrett <mjg59@google.com>
    Signed-off-by: 's avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    
    Changelog:
    - initialize ima_creds_status
    d906c10d
ima.h 9.47 KB