Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

[Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>]

On 03/15/2018 03:20 PM, Eric W. Biederman wrote:
> Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> writes:
>
>> On 03/15/2018 03:01 PM, James Bottomley wrote:
>>> On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:
>>>> On 03/15/2018 02:45 PM, James Bottomley wrote:
>>> [...]
>>>>>>> going to need some type of keyring namespace and there's
>>>>>>> already
>>>>>>> one hanging off the user_ns:
>>>>>>>
>>>>>>> commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
>>>>>>> Author: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>>>>>> Date:   Tue Sep 24 10:35:19 2013 +0100
>>>>>>>
>>>>>>>         KEYS: Add per-user_namespace registers for persistent
>>>>>>> per-UID
>>>>>>> kerberos caches
>>>>>> The benefit for IMA would be that this would then tie the keys
>>>>>> needed for appraising to the IMA namespace's policy.
>>>>>> However, if you have an appraise policy in your IMA namespace,
>>>>>> which is now hooked to the user namespace, and you join that user
>>>>>> namespace but your files don't have signatures, nothing will
>>>>>> execute anymore. That's now a side effect of joining this user
>>>>>> namespace unless we have a magic  exception. My feeling is,
>>>>>> people may not like that...
>>>>> Agree, but I think the magic might be to populate the ima keyring
>>>>> with the parent on user_ns creation.  That way the user_ns owner
>>>>> can delete the parent keys if they don't like them, but by default
>>>>> the parent appraisal policy should just work.
>>>> That may add keys to your keyring but doesn't get you signatures on
>>>> your  files.
>>> But it doesn't need to.  The only way we'd get a failure is if the file
>>> is already being appraised and we lose access to the key.  If the
>> Well, the configuration I talked about above was assuming that we have
>> an appraisal policy active in the IMA namespace, which is now tied to
>> the user namespace that was just joined.
>>
>> If we are fine with the side effects of an IMA policy active as part
>> of a user namespace then let's go with it. The side effects in case of
>> an active IMA appraisal may then be that files cannot be
>> read/accessed, or file measurements or IMA auditing may occur.
>>
>> The alternative is we have an independent IMA namespace. If one joins
>> the USER namespace and there are no IMA-related side effects. If one
>> joins the IMA namespace its IMA policy should start being enforced. If
>> the current active USER namespace has the keys that go with the
>> signatures of the filesystem, then we're fine from the appraisal
>> perspective. If not, then IMA namespace joining may prevent file
>> accesses.
>>
>>> parent policy isn't appraisal, entering the IMA NS won't cause
>> Why parent policy? The policy of the namespace that was joined should
>> be the active one, no ?
> Unless I am completely blind we should never stop enforcing the parent's
> polciy.  We should only add policy to enforce for the scope of a
> container.

What we want is an independent policy for each IMA namespace.

What we don't want is that root can abuse his power to spawn new 
namespaces and circumvent a file appraisal policy on the host (in 
init_ima_ns). Because of that root's activities are subject to the IMA 
policy of the currently active IMA namespace and the one of init_ima_ns 
(and possibly all the ones in between). If root is working in a child 
IMA namespace and file appraisal fails due to the policy in init_ima_ns 
and keys found in .ima or _ima keyrings attached to init_user_ns, the 
file access will be denied.

Besides that root's activities will always be measured and audited 
following the policy in init_ima_ns. This tries to prevent that root 
spawns an IMA namespace with a NULL policy and does things in the TCB 
and tries to escape the logging.

>
> In practice this is just the containers policy as the container is most
> likely a do whatever you want to in the parent policy.  But not always
> and not explicitly.
>
> Mount namespaces are not hierarchical, user namespaces are.  Which makes
> them much more appropriate for being part of nested policy enforcement.

We don't want additive or hierarchical policies - at least I don't. They 
should be independent. Only exception are activities of root that are 
always iteratively evaluated against policies of the current IMA NS and 
the init_ima_ns and possibly all the ones in between.

>
>  From previous conversations I remember that there is a legitimate
> bootstrap problem for IMA.  That needs to be looked at, and I am not
> seeing that mentioned.

IMA's log should not have a gap. So ideally we shouldn't have to write 
something into sysfs to spawn a new IMA namespace so that we don't miss 
whatever setup may have happened to get there, including the writing 
into procfs. IMA should be there right from the start. So a clone flag 
would be ideal for that.

>
> Eric
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>