From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
mkayaalp@cs.binghamton.edu,
Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>,
sunyuqiong1988@gmail.com, containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, david.safford@ge.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support
Date: Wed, 21 Mar 2018 11:19:46 -0400 [thread overview]
Message-ID: <1521645586.3848.136.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <87d10513id.fsf@xmission.com>
On Thu, 2018-03-15 at 15:35 -0500, Eric W. Biederman wrote:
> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
> > On 03/15/2018 03:20 PM, Eric W. Biederman wrote:
[..]
> >> From previous conversations I remember that there is a legitimate
> >> bootstrap problem for IMA. That needs to be looked at, and I am not
> >> seeing that mentioned.
> >
> > IMA's log should not have a gap. So ideally we shouldn't have to write something
> > into sysfs to spawn a new IMA namespace so that we don't miss whatever setup may
> > have happened to get there, including the writing into procfs. IMA should be
> > there right from the start. So a clone flag would be ideal for that.
>
> Please make that securityfs not sysfs. Sysfs should be about the
> hardware not these higher level software details. I really don't want
> to have to namespace sysfs more than I already have.
>
> As for the no gaps requirement. That is a powerful lever for ruling out
> solutions that don't work as well.
IMA-measurement and IMA-audit need to be enabled from the very
beginning. The only reason we differentiate between IMA-measurement
and IMA-audit from IMA-appraisal is simply because the initramfs
doesn't include xattrs. Once support for CPIO xattrs is upstreamed,
IMA-appraisal could then also be enabled from the very beginning. For
now, we rely on the initramfs being measured (and appraised) and
enable IMA-appraisal before any files are accessed from real root.
Systems with a custom /init today already can enable IMA-appraisal
from the very beginning.
In terms of IMA namespacing, we shouldn't need to differentiate
between IMA-measurement and IMA-audit from IMA-appraisal. All of them
should be initialized from the very beginning to capture all
measurements in the measurement list, audit the measurements and
appraise all files.
Requiring IMA namespacing to be joined to another namespace
complicates things, like the unnecessary creation of IMA namespaces.
Just as there is an "owning" namespace for other namespaces, there
should be an "owning" IMA namespace, which is independent of either
the mount or user namespace.
(I hope I'm using the term "owning" properly here.)
Mimi
next prev parent reply other threads:[~2018-03-21 15:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-09 20:14 [RFC PATCH v2 0/3] ima: namespacing IMA Stefan Berger
2018-03-09 20:14 ` [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support Stefan Berger
2018-03-15 10:40 ` Eric W. Biederman
2018-03-15 15:26 ` Stefan Berger
2018-03-15 17:33 ` James Bottomley
2018-03-15 18:26 ` Stefan Berger
2018-03-15 18:45 ` James Bottomley
2018-03-15 18:51 ` Stefan Berger
2018-03-15 19:01 ` James Bottomley
2018-03-15 19:15 ` Stefan Berger
2018-03-15 19:20 ` Eric W. Biederman
2018-03-15 19:49 ` Stefan Berger
2018-03-15 20:35 ` Eric W. Biederman
2018-03-21 15:19 ` Mimi Zohar [this message]
2018-03-16 17:04 ` Stefan Berger
2018-03-22 16:47 ` Stefan Berger
2018-03-09 20:14 ` [RFC PATCH v2 2/3] ima: Add ns_status for storing namespaced iint data Stefan Berger
2018-03-09 20:14 ` [RFC PATCH v2 3/3] ima: mamespace audit status flags Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1521645586.3848.136.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=containers@lists.linux-foundation.org \
--cc=david.safford@ge.com \
--cc=ebiederm@xmission.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=mkayaalp@linux.vnet.ibm.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=sunyuqiong1988@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).