From: James Bottomley <jejb@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Denis Semakin <denis.semakin@huawei.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"christian.brauner@ubuntu.com" <christian.brauner@ubuntu.com>,
"containers@lists.linux.dev" <containers@lists.linux.dev>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
Krzysztof Struczynski <krzysztof.struczynski@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
"mpeters@redhat.com" <mpeters@redhat.com>,
"lhinds@redhat.com" <lhinds@redhat.com>,
"lsturman@redhat.com" <lsturman@redhat.com>,
"puiterwi@redhat.com" <puiterwi@redhat.com>,
"jamjoom@us.ibm.com" <jamjoom@us.ibm.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"paul@paul-moore.com" <paul@paul-moore.com>,
"rgb@redhat.com" <rgb@redhat.com>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"jmorris@namei.org" <jmorris@namei.org>
Subject: Re: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
Date: Sat, 11 Dec 2021 11:00:42 -0500 [thread overview]
Message-ID: <985818fabf3ed1478fd53cb4dd48162fff132492.camel@linux.ibm.com> (raw)
In-Reply-To: <7a914d80-db7c-cdd9-358a-97138ec6d750@linux.ibm.com>
On Sat, 2021-12-11 at 10:38 -0500, Stefan Berger wrote:
> On 12/11/21 10:02, Serge E. Hallyn wrote:
> > IMO yes it is unsafe, however I concede that I am not sufficiently
> > familiar with the policy language. At least Stefan and Mimi (IIUC)
> > want the host policy language to be able to specify cases where an
> > IMA ns can be configured. What's not clear to me is what sorts of
> > triggers the host IMA policy could specify that would safely
> > identify a IMA ns generation
> > trigger.
> >
> > Stefan, would you mind showing what such a policy statement would
> > look like? Does it amount to "/usr/bin/runc may create an IMA ns
> > which escapes current policy" ? Or is it by UID, or any file which
> > has a certain xattr on it?
>
> If this policy here is active on the host then file executions
> (BPRM_CHECK) of uid=0 should be measured and audited on the host in
> any IMA namespace that uid=0 may create. We achieve this with
> hierarchical processing (v6: 10/17).
>
> measure func=BPRM_CHECK mask=MAY_EXEC uid=0
>
> audit func=BPRM_CHECK mask=MAY_EXEC uid=0
Or perhaps to put another way that might be more useful to unprivileged
containers: if you strip the uid=0 from both of those statements, you
get a rule that logs and audits any execution. Once you enter the IMA
namespace, in that namespace you see nothing, but outside the parent is
still logging and auditing all executions, including those inside the
container, according to its measure/audit all executions rule. The
container can't turn that off by writes to its policy file.
So the container can never escape any policy rule imposed by the parent
James
next prev parent reply other threads:[~2021-12-11 16:06 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 22:18 [PATCH v5 00/16] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-08 22:18 ` [PATCH v5 01/16] ima: Add IMA namespace support Stefan Berger
2021-12-08 22:18 ` [PATCH v5 02/16] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-08 22:18 ` [PATCH v5 03/16] ima: Namespace audit status flags Stefan Berger
2021-12-08 22:18 ` [PATCH v5 04/16] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-12-09 13:11 ` Christian Brauner
2021-12-09 15:09 ` Stefan Berger
2021-12-08 22:18 ` [PATCH v5 05/16] ima: Move IMA's keys queue related " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 06/16] ima: Move policy " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 07/16] ima: Move ima_htable " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 08/16] ima: Move measurement list related variables " Stefan Berger
2021-12-08 22:18 ` [PATCH v5 09/16] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-08 22:18 ` [PATCH v5 10/16] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-12-08 22:18 ` [PATCH v5 11/16] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns Stefan Berger
2021-12-08 22:18 ` [PATCH v5 12/16] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-08 22:18 ` [PATCH v5 13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-09 19:11 ` Christian Brauner
2021-12-09 20:42 ` Stefan Berger
2021-12-10 0:57 ` Stefan Berger
2021-12-10 11:32 ` Christian Brauner
2021-12-10 13:57 ` Stefan Berger
2021-12-10 14:21 ` James Bottomley
2021-12-11 9:50 ` Christian Brauner
2021-12-11 10:45 ` Christian Brauner
2021-12-13 15:33 ` Stefan Berger
2021-12-13 15:50 ` Christian Brauner
2021-12-13 16:03 ` Christian Brauner
2021-12-13 16:25 ` Stefan Berger
2021-12-13 16:37 ` Christian Brauner
2021-12-13 16:40 ` Christian Brauner
2021-12-10 20:08 ` Stefan Berger
2021-12-11 8:46 ` Christian Brauner
2021-12-08 22:18 ` [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-09 7:22 ` Denis Semakin
2021-12-09 13:23 ` James Bottomley
2021-12-09 8:09 ` Denis Semakin
2021-12-11 15:02 ` Serge E. Hallyn
2021-12-11 15:38 ` Stefan Berger
2021-12-11 16:00 ` James Bottomley [this message]
2021-12-08 22:18 ` [PATCH v5 15/16] ima: Move dentries into ima_namespace Stefan Berger
2021-12-09 14:34 ` Christian Brauner
2021-12-09 14:37 ` Christian Brauner
2021-12-09 14:41 ` Christian Brauner
2021-12-09 15:00 ` Stefan Berger
2021-12-09 15:47 ` Christian Brauner
2021-12-09 15:30 ` James Bottomley
2021-12-09 19:38 ` James Bottomley
2021-12-09 20:13 ` Stefan Berger
2021-12-10 11:49 ` Christian Brauner
2021-12-10 12:09 ` Mimi Zohar
2021-12-10 12:40 ` Stefan Berger
2021-12-10 13:02 ` Mimi Zohar
2021-12-10 14:17 ` Stefan Berger
2021-12-10 14:26 ` James Bottomley
2021-12-10 15:26 ` Mimi Zohar
2021-12-10 15:32 ` Stefan Berger
2021-12-10 15:48 ` Mimi Zohar
2021-12-10 16:40 ` Stefan Berger
2021-12-10 12:40 ` James Bottomley
2021-12-10 12:54 ` Mimi Zohar
2021-12-12 14:13 ` James Bottomley
2021-12-13 11:25 ` Christian Brauner
2021-12-08 22:18 ` [PATCH v5 16/16] ima: Setup securityfs for IMA namespace Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=985818fabf3ed1478fd53cb4dd48162fff132492.camel@linux.ibm.com \
--to=jejb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=denis.semakin@huawei.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).