From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: krzysztof.struczynski@huawei.com,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-security-module@vger.kernel.org
Cc: zohar@linux.ibm.com, stefanb@linux.vnet.ibm.com,
sunyuqiong1988@gmail.com, mkayaalp@cs.binghamton.edu,
dmitry.kasatkin@gmail.com, serge@hallyn.com, jmorris@namei.org,
christian@brauner.io, silviu.vlasceanu@huawei.com,
roberto.sassu@huawei.com
Subject: Re: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Tue, 18 Aug 2020 09:19:31 -0700 [thread overview]
Message-ID: <1597767571.3898.15.camel@HansenPartnership.com> (raw)
In-Reply-To: <20200818152037.11869-1-krzysztof.struczynski@huawei.com>
On Tue, 2020-08-18 at 17:20 +0200, krzysztof.struczynski@huawei.com
wrote:
> The measurement list remains global, with the assumption that there
> is only one TPM in the system. Each IMA namespace has a unique ID,
> that allows to track measurements per IMA namespace. Processes in one
> namespace, have access only to the measurements from that namespace.
> The exception is made for the initial IMA namespace, whose processes
> have access to all entries.
So I think this can work in the use case where the system owner is
responsible for doing the logging and attestation and the tenants just
trust the owner without requiring an attestation. However, in a multi-
tenant system you need a way for the attestation to be per-container
(because the combined list of who executed what would be a security
leak between tenants). Since we can't virtualise the PCRs without
introducing a vtpm this is going to require a vtpm infrastructure like
that used for virtual machines and then we can do IMA logging per
container.
I don't think the above has to be in your first patch set, we just have
to have an idea of how it could be done to show that nothing in this
patch set precludes a follow on from doing this.
James
next prev parent reply other threads:[~2020-08-18 16:20 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <N>
2012-11-22 11:54 ` [PATCH 1/2] fs/buffer.c: do not inline exported function Yan Hong
2012-11-22 11:54 ` [PATCH 2/2] fs/buffer.c: remove redundant initialization in alloc_page_buffers() Yan Hong
2014-02-12 10:06 ` [PATCH v2] NFSv4.1: new layout stateid can not be overwrite by one out of date shaobingqing
2014-02-12 12:34 ` Trond Myklebust
2014-02-17 7:08 ` [PATCH v3] " shaobingqing
2014-02-17 16:46 ` Trond Myklebust
2014-11-04 1:47 ` [PATCH usb v4 0/2] fixes on resource check varkabhadram
2014-11-04 1:47 ` [PATCH usb v4 1/2] host: uhci-platform: fix NULL pointer dereference on resource varkabhadram
2014-11-04 1:47 ` [PATCH usb v4 2/2] host: ehci-sead3: " varkabhadram
2020-08-18 15:20 ` [RFC PATCH 00/30] ima: Introduce IMA namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 01/30] ima: Introduce ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 02/30] ima: Add a list of the installed ima namespaces krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 03/30] ima: Bind ima namespace to the file descriptor krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 04/30] ima: Add ima policy related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 05/30] ima: Add methods for parsing ima policy configuration string krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 06/30] ima: Add ima namespace to the ima subsystem APIs krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 07/30] ima: Extend the APIs in the integrity subsystem krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 08/30] ima: Add integrity inode related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 09/30] ima: Enable per ima namespace policy settings krzysztof.struczynski
2020-08-18 15:53 ` [RFC PATCH 00/30] ima: Introduce IMA namespace Christian Brauner
2020-08-21 15:18 ` Krzysztof Struczynski
2020-08-18 16:19 ` James Bottomley [this message]
2020-08-21 15:13 ` Krzysztof Struczynski
2020-09-02 18:53 ` Mimi Zohar
2020-09-04 14:06 ` Dr. Greg
2020-09-14 12:05 ` Krzysztof Struczynski
2020-08-18 16:49 ` Christian Brauner
2020-08-21 15:37 ` Krzysztof Struczynski
2020-09-02 19:54 ` Mimi Zohar
2020-09-06 17:14 ` Dr. Greg
[not found] ` <CAKrSGQR3Pw=Rad2RgUuCHqr0r2Nc6x2nLoo2cVAkD+_8Vbmd7A@mail.gmail.com>
2020-09-08 14:03 ` Mimi Zohar
2020-09-14 12:07 ` Krzysztof Struczynski
2020-10-19 9:30 ` Krzysztof Struczynski
2020-10-25 15:00 ` Dr. Greg
2020-09-09 10:11 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1597767571.3898.15.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=silviu.vlasceanu@huawei.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=sunyuqiong1988@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox