From: Stefan Berger <stefanb@linux.ibm.com>
To: Christian Brauner <christian.brauner@ubuntu.com>,
Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org
Subject: Re: [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns
Date: Fri, 17 Dec 2021 21:38:16 -0500 [thread overview]
Message-ID: <0d6d0a22-0f3a-5f99-e603-f139d8fe7801@linux.ibm.com> (raw)
In-Reply-To: <20211216133148.aw3xs4sxuebkampb@wittgenstein>
On 12/16/21 08:31, Christian Brauner wrote:
>
> 1. namespace securityfs
> This patch is thematically standalone and should move to the
> beginning of the series.
> I would strongly recommend to fold patch 9 and 10 into a single patch
> and add a lengthy explanation. You should be able to recycle a lof of
> stuff I wrote in earlier reviews.
>
> 2. Introduce struct ima_namespace and pass it through to all callers:
> - introduce struct ima_namespace
> - move all the relevant things into this structure (this also avoids
> the "avoid_zero_size" hack).
We could defer the kmalloc() that doesn't work on a zero-sized request.
I would say this is minor.
> - define, setup, and expose init_ima_ns
> - introduce get_current_ns() and always have it return &init_ima_ns for now
> - replace all accesses to global variables to go through &init_ima_ns
> - add new infrastructure you'll need later on
> Bonus is that you can extend all the functions that later need access
> to a specific ima namespace to take a struct ima_namespace * argument
> and pass down &init_ima_ns down (retrieved via get_current_ns()). This
> will make the actual namespace patch very easy to follow.
>
> 3. namespace ima
> - add a new entry for struct ima_namespace to struct user_namespace
> - add creation helpers, kmem cache etc.
> - create files in securityfs per ns
I have tried this now and I am looking at 4 remaining patches that need
to somehow find its way into v8 without causing too many disturbances.
At what point (over how many patches) can I introduce CONFIG_IMA_NS
without anything related to IMA namespacing happening? I need it early
in 'your 3rd part' since it is also used for conditional compilation
(Makefile) and #ifdef's where Makefile content and what the #ifdefs are
doing probably shouldn't be squeezed into a single patch just so it's
all enabled in one patch, but it should probably still remain logically
separated into different patches. Enablement of IMA namespace would be
in the very last patch. But there may be several patches between the
very last one and CONFIG_IMA_NS is introduced...
v7 at least, before the requirement to do late/lazy initialization,
enabled CONFIG_IMA_NS right away and built ever step on top of it, even
if the IMA namespace only became **configurable** in the last patch when
securityfs was enbled and one could set a policy. From that perspective
it would be easier to switch to late initialization in a patch on top of
v7 but .. ok, we cannot do that.
> This way at all points in the series we have clearly defined semantics
> where ima namespacing is either fully working or fully not working and
> the switch is atomic in the patch(es) part of 3.
Atomic over multiple patches? So introducing CONFIG_IMA_NS that doesn't
do anything for several patches is still considered 'atomic' then ?
next prev parent reply other threads:[~2021-12-18 2:38 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 5:43 [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-16 5:43 ` [PATCH v7 01/14] ima: Add IMA namespace support Stefan Berger
2021-12-16 14:08 ` Christian Brauner
2021-12-16 21:52 ` James Bottomley
2021-12-17 9:55 ` Christian Brauner
2021-12-16 5:43 ` [PATCH v7 02/14] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-16 5:43 ` [PATCH v7 03/14] ima: Namespace audit status flags Stefan Berger
2021-12-16 5:43 ` [PATCH v7 04/14] ima: Move policy related variables into ima_namespace Stefan Berger
2021-12-16 5:43 ` [PATCH v7 05/14] ima: Move ima_htable " Stefan Berger
2021-12-16 5:43 ` [PATCH v7 06/14] ima: Move measurement list related variables " Stefan Berger
2021-12-16 5:43 ` [PATCH v7 07/14] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-16 5:43 ` [PATCH v7 08/14] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-12-16 5:43 ` [PATCH v7 09/14] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns Stefan Berger
2021-12-16 5:43 ` [PATCH v7 10/14] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-16 13:40 ` Christian Brauner
2021-12-16 16:28 ` Christian Brauner
2022-01-03 14:09 ` Stefan Berger
2021-12-16 5:43 ` [PATCH v7 11/14] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-16 5:43 ` [PATCH v7 12/14] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-16 5:43 ` [PATCH v7 13/14] ima: Move dentry into ima_namespace and others onto stack Stefan Berger
2021-12-16 5:43 ` [PATCH v7 14/14] ima: Setup securityfs for IMA namespace Stefan Berger
2021-12-16 13:51 ` Christian Brauner
2021-12-16 21:38 ` Stefan Berger
2021-12-16 12:50 ` [PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2021-12-16 13:31 ` Christian Brauner
2021-12-16 21:27 ` Stefan Berger
2021-12-17 10:25 ` Christian Brauner
2021-12-18 2:38 ` Stefan Berger [this message]
2021-12-16 21:00 ` Stefan Berger
2021-12-17 10:06 ` Christian Brauner
2021-12-27 17:29 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d6d0a22-0f3a-5f99-e603-f139d8fe7801@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).