public inbox for containers@lists.linux.dev
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Luke Hinds <lhinds@redhat.com>, "Dr. Greg" <greg@enjellic.com>
Cc: mkayaalp@cs.binghamton.edu, nick.dusek@gmail.com,
	sunyuqiong1988@gmail.com, containers@lists.linux-foundation.org,
	jannh@google.com, roberto.sassu@huawei.com,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	viro@zeniv.linux.org.uk, krzysztof.struczynski@huawei.com,
	linux-security-module@vger.kernel.org,
	silviu.vlasceanu@huawei.com, ebiederm@xmission.com,
	dmitry.kasatkin@gmail.com, luto@amacapital.net,
	Christian Brauner <christian.brauner@ubuntu.com>,
	torvalds@linux-foundation.org, linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Tue, 08 Sep 2020 10:03:24 -0400	[thread overview]
Message-ID: <d405bab0d262b32fd16e85444791b6c49d820aa2.camel@linux.ibm.com> (raw)
In-Reply-To: <CAKrSGQR3Pw=Rad2RgUuCHqr0r2Nc6x2nLoo2cVAkD+_8Vbmd7A@mail.gmail.com>

On Mon, 2020-09-07 at 12:50 +0100, Luke Hinds wrote:
> > Candidly, given the politics of security technology being viewed as
> > 'constraining' user rights, I think that a lot of forthcoming security
> > technology may end up being out of tree moving forward.
> > 
> 
> I think it's prudent to look forward and plan diligently, but I would
> not want perfect to be the enemy of good.

Agreed.  This isn't an abstract problem, but one that has already come
up and, hopefully, has been addressed appropriately.

> 
> I approach this more from a user's perspective. We are using IMA in 
> https://keylime.dev to measure a host and would like to measure
> within a container too. It's the most common request we hear from our
> users.
> 
> Perhaps we all collaborate on a proposal extending Stefans work here:
> https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerati
> ons
> 
> I have seen around 3-4 patches now get submitted, so work has been
> done before, and as above, users are present too. We could then have
> some consensus on how this should look and later patches might have
> more success at landing.
> 
> Would anyone be interested in this and have recommendations on how we
> could approach this?

When Roberto Sassu and Krzysztof Struczynski contacted me about the
status of Stefan Berger's patch set, based on Yuqiong Sun's work, I was
under the impression that they would be rebasing it on the latest
kernel and going forward from there.   Obviously things changed.  I
pointed out to them resolving the "IMA namespacing" issue would be the
first thing that needs to be addressed.  So here we are.

Definitely, let's have this discussion.

Mimi

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers

  reply	other threads:[~2020-09-08 14:04 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <N>
     [not found] ` <20200818152037.11869-1-krzysztof.struczynski@huawei.com>
     [not found]   ` <1597767571.3898.15.camel@HansenPartnership.com>
     [not found]     ` <401a2f36149f450291d1742aeb6c2260@huawei.com>
2020-09-02 18:53       ` [RFC PATCH 00/30] ima: Introduce IMA namespace Mimi Zohar
2020-09-04 14:06         ` Dr. Greg
2020-09-14 12:05         ` Krzysztof Struczynski
     [not found]   ` <20200818164943.va3um7toztazcfud@wittgenstein>
2020-09-02 19:54     ` Mimi Zohar
2020-09-06 17:14       ` Dr. Greg
2020-09-07 11:50         ` Luke Hinds
2020-09-08 14:03           ` Mimi Zohar [this message]
2020-09-14 12:07             ` Krzysztof Struczynski
2020-10-19  9:30             ` Krzysztof Struczynski
2020-10-25 15:00               ` Dr. Greg
2020-09-09 10:11           ` Dr. Greg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d405bab0d262b32fd16e85444791b6c49d820aa2.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=greg@enjellic.com \
    --cc=jannh@google.com \
    --cc=krzysztof.struczynski@huawei.com \
    --cc=lhinds@redhat.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mkayaalp@cs.binghamton.edu \
    --cc=nick.dusek@gmail.com \
    --cc=roberto.sassu@huawei.com \
    --cc=silviu.vlasceanu@huawei.com \
    --cc=sunyuqiong1988@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox