From: Stefan Berger <stefanb@linux.ibm.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org
Subject: Re: [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns
Date: Mon, 27 Dec 2021 12:29:42 -0500 [thread overview]
Message-ID: <175831be-4c26-bd86-27c1-dd822514f06f@linux.ibm.com> (raw)
In-Reply-To: <20211217100659.2iah5prshavjk6v6@wittgenstein>
On 12/17/21 05:06, Christian Brauner wrote:
> On Thu, Dec 16, 2021 at 04:00:40PM -0500, Stefan Berger wrote:
>>
>> But that could still mean a lot of contention on iint->mutex since this
>> lock is global, i.e. in this context: for all ima namespaces. You might
>> want to consider coming up with some rough ideas for how to solve this
>> _if_ this becomes a problem in the future.
>>
>> The plan is that each IMA namespace will have its own rbtree with its own
>> set of iints. We cannot do it all at the same time, so this will take while
>> until things can be completely moved over into a per-IMA namespace rbtree
>> and each IMA namespace becomes fully independent.
> Ok, good to hear that you have already thought about that.
Well, yes, we thought about it. However, as far as I can look ahead we
cannot get rid of the iint->mutex:
Obviously we have to organize the data structures where IMA is recording
what it has done with a file/inode in such a way that each namespace can
efficiently determine whether it needs to audit/measure/appraise a file
or re-audit/re-measure/re-appraise it after file modification. The
organization of these data structures also has to reflect the fact that
files can be shared between IMA namespaces via setns() on mount
namespaces or shared files or shared mount namespaces between containers
etc.. So, the first thing we do already is move audit-related flags into
what is called the ns_status (namespace status) structure that are kept
in a per-IMA namespace rbtree. This allows IMA to remember that a file
was already audited and it doesn't need to audit it again. The lookup
via rbtree is quick: O(log(n).
Unfortunately the previous series had a bug so that files were not
re-audited after they were modified. I fixed this now in the new series
(upcoming v8) by connecting each ns_status also to a list. This list
starts in the global inode integrity cache (the iint rbtree) where each
inode that any IMA namespace accessed has an iint entry today. The lists
start on the iint entries representing inodes. When files are deleted
or modified or xattrs are modified then all IMA namespaces need to
re-audit/re-measure/re-appraise the file (depending on policy) and for
this we have to reset flags across all the IMA namespaces by walking the
list of ns_status entries. The organization via iint rbtree and
ns_status list allows for quick lookup of the inode where the
modification happened and quick reset of the flags: O(log(n)) + O(n).
This is better than having to search all namespaces to reset the flags
(O(log(n) * n) if there was no list.
Stefan
prev parent reply other threads:[~2021-12-27 17:30 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 5:43 [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-16 5:43 ` [PATCH v7 01/14] ima: Add IMA namespace support Stefan Berger
2021-12-16 14:08 ` Christian Brauner
2021-12-16 21:52 ` James Bottomley
2021-12-17 9:55 ` Christian Brauner
2021-12-16 5:43 ` [PATCH v7 02/14] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-16 5:43 ` [PATCH v7 03/14] ima: Namespace audit status flags Stefan Berger
2021-12-16 5:43 ` [PATCH v7 04/14] ima: Move policy related variables into ima_namespace Stefan Berger
2021-12-16 14:26 ` kernel test robot
2021-12-16 5:43 ` [PATCH v7 05/14] ima: Move ima_htable " Stefan Berger
2021-12-16 5:43 ` [PATCH v7 06/14] ima: Move measurement list related variables " Stefan Berger
2021-12-16 5:43 ` [PATCH v7 07/14] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-16 5:43 ` [PATCH v7 08/14] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-12-16 5:43 ` [PATCH v7 09/14] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns Stefan Berger
2021-12-16 5:43 ` [PATCH v7 10/14] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-16 13:40 ` Christian Brauner
2021-12-16 16:28 ` Christian Brauner
2022-01-03 14:09 ` Stefan Berger
2021-12-17 16:21 ` [RFC PATCH] securityfs: securityfs_dir_inode_operations can be static kernel test robot
2021-12-17 16:29 ` [PATCH v7 10/14] securityfs: Extend securityfs with namespacing support kernel test robot
2021-12-16 5:43 ` [PATCH v7 11/14] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-16 5:43 ` [PATCH v7 12/14] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-16 5:43 ` [PATCH v7 13/14] ima: Move dentry into ima_namespace and others onto stack Stefan Berger
2021-12-16 5:43 ` [PATCH v7 14/14] ima: Setup securityfs for IMA namespace Stefan Berger
2021-12-16 10:59 ` kernel test robot
2021-12-16 12:02 ` kernel test robot
2021-12-16 13:51 ` Christian Brauner
2021-12-16 21:38 ` Stefan Berger
2021-12-16 12:50 ` [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2021-12-16 13:31 ` Christian Brauner
2021-12-16 21:27 ` Stefan Berger
2021-12-17 10:25 ` Christian Brauner
2021-12-18 2:38 ` Stefan Berger
2021-12-16 21:00 ` Stefan Berger
2021-12-17 10:06 ` Christian Brauner
2021-12-27 17:29 ` Stefan Berger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=175831be-4c26-bd86-27c1-dd822514f06f@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox