userns: Add user namespace support to IMA

Use kuid's in the IMA rules.

When reporting the current uid in audit logs use from_kuid
to get a usable value.

Cc: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

2 files changed, 10 insertions, 9 deletions

diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 7a57f6769e9c..c586faae8fd6 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -39,8 +39,9 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
 
         ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
         audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
-                         current->pid, current_cred()->uid,
-                         audit_get_loginuid(current),
+                         current->pid,
+                         from_kuid(&init_user_ns, current_cred()->uid),
+                         from_kuid(&init_user_ns, audit_get_loginuid(current)),
                          audit_get_sessionid(current));
         audit_log_task_context(ab);
         audit_log_format(ab, " op=");
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1a9583008aae..c84df05180cb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -39,7 +39,7 @@ struct ima_measure_rule_entry {
         enum ima_hooks func;
         int mask;
         unsigned long fsmagic;
-        uid_t uid;
+        kuid_t uid;
         struct {
                 void *rule;     /* LSM file metadata specific */
                 int type;       /* audit type */
@@ -71,7 +71,7 @@ static struct ima_measure_rule_entry default_rules[] = {
          .flags = IMA_FUNC | IMA_MASK},
         {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
          .flags = IMA_FUNC | IMA_MASK},
-        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = 0,
+        {.action = MEASURE,.func = FILE_CHECK,.mask = MAY_READ,.uid = GLOBAL_ROOT_UID,
          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
 
@@ -112,7 +112,7 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
         if ((rule->flags & IMA_FSMAGIC)
             && rule->fsmagic != inode->i_sb->s_magic)
                 return false;
-        if ((rule->flags & IMA_UID) && rule->uid != cred->uid)
+        if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                 return false;
         for (i = 0; i < MAX_LSM_RULES; i++) {
                 int rc = 0;
@@ -277,7 +277,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 
         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 
-        entry->uid = -1;
+        entry->uid = INVALID_UID;
         entry->action = UNKNOWN;
         while ((p = strsep(&rule, " \t")) != NULL) {
                 substring_t args[MAX_OPT_ARGS];
@@ -361,15 +361,15 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                 case Opt_uid:
                         ima_log_string(ab, "uid", args[0].from);
 
-                        if (entry->uid != -1) {
+                        if (uid_valid(entry->uid)) {
                                 result = -EINVAL;
                                 break;
                         }
 
                         result = strict_strtoul(args[0].from, 10, &lnum);
                         if (!result) {
-                                entry->uid = (uid_t) lnum;
-                                if (entry->uid != lnum)
+                                entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
+                                if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
                                         result = -EINVAL;
                                 else
                                         entry->flags |= IMA_UID;