From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC 04/11] ima: add support to namespace securityfs file
Date: Thu, 25 May 2017 07:46:02 -0400 [thread overview]
Message-ID: <1495712762.3841.89.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <d8d55872-db78-3535-a540-85c0dbb2d6fd@canonical.com>
Hi John,
On Thu, 2017-05-25 at 00:36 -0700, John Johansen wrote:
> On 05/24/2017 01:12 PM, Mimi Zohar wrote:
> > On Thu, 2017-05-11 at 10:59 -0300, Guilherme Magalhaes wrote:
> >> Creating the namespace securityfs file under ima folder. When a mount
> >> namespace id is written to the namespace file, a new folder is created and
> >> with a policy file for that specified namespace. Then, user defined policy
> >> for namespaces may be set by writing rules to this namespace policy file.
> >> With this interface, there is no need to give visibility for the securityfs
> >> inside mount namespaces or containers in userspace.
> >>
> >> Signed-off-by: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
> >
> > The design needs to be flexible enough for different types of
> > containers, not just for when the orchestration layer provides the
> > policy. With this design, the container owner has no control over the
> > policy.
> >
> > One option is that we bind mount the securityfs/policy, so that root
> > in the container will be allowed to read/write the policy. At some
> > point, we might connect a vTPM to the container so that the container
> > owner would be able to get a quote. For now even without a vTPM, the
> > same mechanism would allow root within the container to read the
> > measurement list.
> >
> I haven't looked at this enough yet on IMAs end, but another possible solution
> is using a symlink and a magic jump_link similar to what nsfs is doing.
>
> The patch series I posted out a couple of weeks ago
> [RFC][Patch 0/3] securityfs: add the ability to support symlinks
>
> adds symlink support to securityfs, and then patch 3/3 cribs from nsfs
> updating apparmorfs to use jump_link to "virtualize" the apparmor policy
> directory. This avoids needing to have the bind mount.
>
> I'll break the patch out more and repost so its easier to see if this
> approach might work for IMA.
Sorry, I've been meaning to take a look at your patches, but just
haven't gotten to it yet. ?This approach sounds really promising.
thanks,
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: John Johansen <john.johansen@canonical.com>,
Guilherme Magalhaes <guilherme.magalhaes@hpe.com>,
dmitry.kasatkin@gmail.com
Cc: viro@zeniv.linux.org.uk, james.l.morris@oracle.com,
serge@hallyn.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-ima-devel@lists.sourceforge.net,
linux-ima-user@lists.sourceforge.net,
linux-security-module@vger.kernel.org, tycho@docker.com,
joaquims@hpe.com, nigel.edwards@hpe.com
Subject: Re: [RFC 04/11] ima: add support to namespace securityfs file
Date: Thu, 25 May 2017 07:46:02 -0400 [thread overview]
Message-ID: <1495712762.3841.89.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <d8d55872-db78-3535-a540-85c0dbb2d6fd@canonical.com>
Hi John,
On Thu, 2017-05-25 at 00:36 -0700, John Johansen wrote:
> On 05/24/2017 01:12 PM, Mimi Zohar wrote:
> > On Thu, 2017-05-11 at 10:59 -0300, Guilherme Magalhaes wrote:
> >> Creating the namespace securityfs file under ima folder. When a mount
> >> namespace id is written to the namespace file, a new folder is created and
> >> with a policy file for that specified namespace. Then, user defined policy
> >> for namespaces may be set by writing rules to this namespace policy file.
> >> With this interface, there is no need to give visibility for the securityfs
> >> inside mount namespaces or containers in userspace.
> >>
> >> Signed-off-by: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
> >
> > The design needs to be flexible enough for different types of
> > containers, not just for when the orchestration layer provides the
> > policy. With this design, the container owner has no control over the
> > policy.
> >
> > One option is that we bind mount the securityfs/policy, so that root
> > in the container will be allowed to read/write the policy. At some
> > point, we might connect a vTPM to the container so that the container
> > owner would be able to get a quote. For now even without a vTPM, the
> > same mechanism would allow root within the container to read the
> > measurement list.
> >
> I haven't looked at this enough yet on IMAs end, but another possible solution
> is using a symlink and a magic jump_link similar to what nsfs is doing.
>
> The patch series I posted out a couple of weeks ago
> [RFC][Patch 0/3] securityfs: add the ability to support symlinks
>
> adds symlink support to securityfs, and then patch 3/3 cribs from nsfs
> updating apparmorfs to use jump_link to "virtualize" the apparmor policy
> directory. This avoids needing to have the bind mount.
>
> I'll break the patch out more and repost so its easier to see if this
> approach might work for IMA.
Sorry, I've been meaning to take a look at your patches, but just
haven't gotten to it yet. This approach sounds really promising.
thanks,
Mimi
next prev parent reply other threads:[~2017-05-25 11:46 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 13:59 [RFC 00/11] ima: namespace support for IMA policy Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 01/11] ima: qualify pathname in audit info record Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 02/11] ima: qualify pathname in audit measurement record Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 03/11] ima: qualify pathname in measurement file Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 04/11] ima: add support to namespace securityfs file Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-18 21:39 ` Tycho Andersen
2017-05-18 21:39 ` Tycho Andersen
2017-05-24 20:12 ` Mimi Zohar
2017-05-24 20:12 ` Mimi Zohar
2017-05-25 7:36 ` John Johansen
2017-05-25 7:36 ` John Johansen
2017-05-25 11:46 ` Mimi Zohar [this message]
2017-05-25 11:46 ` Mimi Zohar
2017-05-25 19:04 ` Magalhaes, Guilherme (Brazil R&D-CL)
2017-05-25 19:04 ` Magalhaes, Guilherme (Brazil R&D-CL)
2017-05-29 17:32 ` Mimi Zohar
2017-05-29 17:32 ` Mimi Zohar
2017-05-31 9:49 ` Dr. Greg Wettstein
2017-05-31 9:49 ` Dr. Greg Wettstein
2017-05-11 13:59 ` [RFC 05/11] ima: store new namespace policy structure in a radix tree Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 06/11] ima, fs: release namespace policy resources Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 07/11] ima: new namespace policy structure to track initial namespace policy data Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 08/11] ima: block initial namespace id on the namespace policy interface Guilherme Magalhaes
2017-05-11 14:00 ` Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 09/11] ima: delete namespace policy securityfs file in write-once mode Guilherme Magalhaes
2017-05-11 14:00 ` Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 10/11] ima: handling all policy flags per namespace using ima_ns_policy structure Guilherme Magalhaes
2017-05-11 14:00 ` Guilherme Magalhaes
2017-05-11 14:53 ` [RFC 00/11] ima: namespace support for IMA policy Magalhaes, Guilherme (Brazil R&D-CL)
2017-05-11 14:53 ` Magalhaes, Guilherme (Brazil R&D-CL)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495712762.3841.89.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.