From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"stefanb@linux.vnet.ibm.com" <stefanb@linux.vnet.ibm.com>,
"sunyuqiong1988@gmail.com" <sunyuqiong1988@gmail.com>,
"mkayaalp@cs.binghamton.edu" <mkayaalp@cs.binghamton.edu>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"christian@brauner.io" <christian@brauner.io>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: RE: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Fri, 21 Aug 2020 15:18:08 +0000 [thread overview]
Message-ID: <8fe0d5c879af46cc8ec64d429c601b3d@huawei.com> (raw)
In-Reply-To: <20200818155350.oy3axodt3vj5k7ij@wittgenstein>
> From: Christian Brauner [mailto:christian.brauner@ubuntu.com]
> On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@huawei.com
> wrote:
> > From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> >
> > IMA has not been designed to work with containers. It handles every
> > process in the same way, and it cannot distinguish if a process belongs to
> > a container or not.
> >
> > Containers use namespaces to make it appear to the processes in the
> > containers that they have their own isolated instance of the global
> > resource. For IMA as well, it is desirable to let processes in the
> > containers have IMA functionality independent from other containers:
> > separate policy rules, measurement list, additional appraisal keys to
> > verify the container image, separate audit logs.
> >
> > As previous work done in this area, this patch series introduces the IMA
> > namespace, which is a separate instance of IMA to handle a subset of
> > processes that belong to a container.
> >
> > The IMA namespace is created using clone3() or unshare() system calls. It
> > is important to configure the namespace before any process appears in it,
> > so that the new policy rules apply to the very first process in the
> > namespace. To achieve that, the intermediate namespace
> ima_ns_for_children
> > is used. It stores the configuration and becomes active on the next fork
> > or when the first process enters it using the setns() system call. The
> > similar process is used for the time namespace.
> >
> > The IMA namespace can be configured using the new securityfs directory
> > entries that allow the user to set the policy rules, x509 certificate for
> > appraisal and pass IMA configuration parameters normally included in the
> > kernel command line parameters. It is intended to extend the clone_args to
> > allow configuration from clone3() syscall.
>
> Not to be the downer right away but just as an fyi, if this patchset
> makes it, clone3() will not allow to be extended with any real
> second-level pointers. That will see a hard NAK from me and several
> other maintainers.
Ok, that's a good point. It can be done without the second-level pointers
but if that's not desirable then IMA namespace creation via a direct
clone3() call can be removed. It will make the process less flexible but
it will still work with unshare() and clone3() or unshare() and setns()
calls.
>
> Christian
next prev parent reply other threads:[~2020-08-21 15:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <N>
2020-08-18 15:20 ` [RFC PATCH 00/30] ima: Introduce IMA namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 01/30] ima: Introduce ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 02/30] ima: Add a list of the installed ima namespaces krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 03/30] ima: Bind ima namespace to the file descriptor krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 04/30] ima: Add ima policy related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 05/30] ima: Add methods for parsing ima policy configuration string krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 06/30] ima: Add ima namespace to the ima subsystem APIs krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 07/30] ima: Extend the APIs in the integrity subsystem krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 08/30] ima: Add integrity inode related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 09/30] ima: Enable per ima namespace policy settings krzysztof.struczynski
2020-08-18 15:53 ` [RFC PATCH 00/30] ima: Introduce IMA namespace Christian Brauner
2020-08-21 15:18 ` Krzysztof Struczynski [this message]
2020-08-18 16:19 ` James Bottomley
2020-08-21 15:13 ` Krzysztof Struczynski
2020-09-02 18:53 ` Mimi Zohar
2020-09-04 14:06 ` Dr. Greg
2020-09-14 12:05 ` Krzysztof Struczynski
2020-08-18 16:49 ` Christian Brauner
2020-08-21 15:37 ` Krzysztof Struczynski
2020-09-02 19:54 ` Mimi Zohar
2020-09-06 17:14 ` Dr. Greg
[not found] ` <CAKrSGQR3Pw=Rad2RgUuCHqr0r2Nc6x2nLoo2cVAkD+_8Vbmd7A@mail.gmail.com>
2020-09-08 14:03 ` Mimi Zohar
2020-09-14 12:07 ` Krzysztof Struczynski
2020-10-19 9:30 ` Krzysztof Struczynski
2020-10-25 15:00 ` Dr. Greg
2020-09-09 10:11 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8fe0d5c879af46cc8ec64d429c601b3d@huawei.com \
--to=krzysztof.struczynski@huawei.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=sunyuqiong1988@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).