On Thu, Apr 10, 2025 at 01:47:07PM +0200, Roberto Sassu wrote:
> Hi everyone
>
> recently I discovered a problem in the implementation of our IMA
> bprm_check hook, in particular when the policy is matched against the
> bprm credentials (to be committed later during execve().
>
> Before commit 56305aa9b6fab ("exec: Compute file based creds only
> once"), bprm_fill_uid() was called in prepare_binprm() and filled the
> euid/egid before calling security_bprm_check(), which in turns calls
> IMA.
>
> After that commit, bprm_fill_uid() was moved to begin_new_exec(), which
> is when the last interpreter is found.
>
> The consequence is that IMA still sees the not yet ready credentials
> and an IMA rule like:
>
> measure func=CREDS_CHECK euid=0
"IMA still sees" at which point exactly?
Do I understand right that the problem is that ima's version of
security_bprm_creds_for_exec() needs to run after
bprm_creds_from_file()?
Given that Eric's commit message said that no bprm handlers use
the uid, it seems it should be safe to just move that?
> will not be matched for sudo-like applications.
>
> It does work however with SELinux, because it computes the transition
> before IMA in the bprm_creds_for_exec hook.
>
> Since IMA needs to be involved for each execution in the chain of
> interpreters, we cannot move to the bprm_creds_from_file hook.
>
> How do we solve this problem? The commit mentioned that it is an
> optimization, so probably would not be too hard to partially revert it
> (and keeping what is good).
>
> Thanks
>
> Roberto
>
