diff for duplicates of <1501014695.3689.41.camel@HansenPartnership.com> diff --git a/a/1.txt b/N1/1.txt index 503560a..404fcc5 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -9,7 +9,7 @@ On Tue, 2017-07-25 at 15:48 -0400, Mimi Zohar wrote: > > > > On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote: [...] > > > > the latter, it does seem that this should be a property of -> > > > either the mount or user ns rather than its own separate ns. ?I +> > > > either the mount or user ns rather than its own separate ns. I > > > > could see a use where even a container might want multiple ima > > > > keyrings within the container (say containerised apache service > > > > with multiple tenants), so instinct tells me that mount ns is @@ -21,7 +21,7 @@ On Tue, 2017-07-25 at 15:48 -0400, Mimi Zohar wrote: > > > clone(CLONE_NEWNS). > > > > I could go with that, but what about the trigger being installing -> > or updating the keyring? ?That's the only operation that needs +> > or updating the keyring? That's the only operation that needs > > namespace separation, so on mount ns clone, you get a pointer to > > the old ima_ns until you do something that requires a new key, > > which then triggers the copy of the namespace and installing it? @@ -30,10 +30,10 @@ On Tue, 2017-07-25 at 15:48 -0400, Mimi Zohar wrote: > measurement list and policy as well. OK, so trigger to do a just in time copy would be new key or new -policy. ?The measurement list is basically just a has of a file taken -at a policy point. ?Presumably it doesn't change if we install a new +policy. The measurement list is basically just a has of a file taken +at a policy point. Presumably it doesn't change if we install a new policy or key, so it sounds like it should be tied to the underlying -mount point? ?I'm thinking if we set up a hundred mount ns each +mount point? I'm thinking if we set up a hundred mount ns each pointing to /var/container, we don't want /var/container/bin/something to have 100 separate measurements each with the same hash. @@ -43,8 +43,8 @@ to have 100 separate measurements each with the same hash. > namespace specific measurement list, not it's parent. Would the measurement in a child namespace yield a different -measurement in the parent? ?I'm thinking not, because a measurement is -just a hash. ?Now if the signature of the hash in the xattr needs a +measurement in the parent? I'm thinking not, because a measurement is +just a hash. Now if the signature of the hash in the xattr needs a different key, obviously this differs, but the expensive part (computing the hash) shouldn't change. @@ -55,10 +55,5 @@ James > > _______________________________________________ > Containers mailing list -> Containers at lists.linux-foundation.org +> Containers@lists.linux-foundation.org > https://lists.linuxfoundation.org/mailman/listinfo/containers - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 24be844..7e9168f 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -5,10 +5,20 @@ "ref\020170725190406.GA1883@mail.hallyn.com\0" "ref\01501009739.3689.33.camel@HansenPartnership.com\0" "ref\01501012082.27413.17.camel@linux.vnet.ibm.com\0" - "From\0James.Bottomley@hansenpartnership.com (James Bottomley)\0" - "Subject\0[RFC PATCH 1/5] ima: extend clone() with IMA namespace support\0" + "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" + "Subject\0Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support\0" "Date\0Tue, 25 Jul 2017 13:31:35 -0700\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Mimi Zohar <zohar@linux.vnet.ibm.com>" + " Serge E. Hallyn <serge@hallyn.com>\0" + "Cc\0Mehmet Kayaalp <mkayaalp@cs.binghamton.edu>" + Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> + Yuqiong Sun <sunyuqiong1988@gmail.com> + containers <containers@lists.linux-foundation.org> + linux-kernel <linux-kernel@vger.kernel.org> + David Safford <david.safford@ge.com> + linux-security-module <linux-security-module@vger.kernel.org> + ima-devel <linux-ima-devel@lists.sourceforge.net> + " Yuqiong Sun <suny@us.ibm.com>\0" "\00:1\0" "b\0" "On Tue, 2017-07-25 at 15:48 -0400, Mimi Zohar wrote:\n" @@ -22,7 +32,7 @@ "> > > > On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote:\n" "[...]\n" "> > > > the latter, it does seem that this should be a property of\n" - "> > > > either the mount or user ns rather than its own separate ns. ?I\n" + "> > > > either the mount or user ns rather than its own separate ns. \302\240I\n" "> > > > could see a use where even a container might want multiple ima\n" "> > > > keyrings within the container (say containerised apache service\n" "> > > > with multiple tenants), so instinct tells me that mount ns is\n" @@ -34,7 +44,7 @@ "> > > clone(CLONE_NEWNS).\n" "> > \n" "> > I could go with that, but what about the trigger being installing\n" - "> > or updating the keyring? ?That's the only operation that needs\n" + "> > or updating the keyring? \302\240That's the only operation that needs\n" "> > namespace separation, so on mount ns clone, you get a pointer to\n" "> > the old ima_ns until you do something that requires a new key,\n" "> > which then triggers the copy of the namespace and installing it?\n" @@ -43,10 +53,10 @@ "> measurement list and policy as well.\n" "\n" "OK, so trigger to do a just in time copy would be new key or new\n" - "policy. ?The measurement list is basically just a has of a file taken\n" - "at a policy point. ?Presumably it doesn't change if we install a new\n" + "policy. \302\240The measurement list is basically just a has of a file taken\n" + "at a policy point. \302\240Presumably it doesn't change if we install a new\n" "policy or key, so it sounds like it should be tied to the underlying\n" - "mount point? ?I'm thinking if we set up a hundred mount ns each\n" + "mount point? \302\240I'm thinking if we set up a hundred mount ns each\n" "pointing to /var/container, we don't want /var/container/bin/something\n" "to have 100 separate measurements each with the same hash.\n" "\n" @@ -56,8 +66,8 @@ "> namespace specific measurement list, not it's parent.\n" "\n" "Would the measurement in a child namespace yield a different\n" - "measurement in the parent? ?I'm thinking not, because a measurement is\n" - "just a hash. ?Now if the signature of the hash in the xattr needs a\n" + "measurement in the parent? \302\240I'm thinking not, because a measurement is\n" + "just a hash. \302\240Now if the signature of the hash in the xattr needs a\n" "different key, obviously this differs, but the expensive part\n" "(computing the hash) shouldn't change.\n" "\n" @@ -68,12 +78,7 @@ "> \n" "> _______________________________________________\n" "> Containers mailing list\n" - "> Containers at lists.linux-foundation.org\n" - "> https://lists.linuxfoundation.org/mailman/listinfo/containers\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + "> Containers@lists.linux-foundation.org\n" + > https://lists.linuxfoundation.org/mailman/listinfo/containers -f8da4bf7ab52f1b19f0053dc21249d239f7df0bc237790524f29d8f3cd84bf13 +f2f342ce0c21ea9f6e12e99a20154bb36483fd29219ed3ed548b8b9db57578d8
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.