From: "Stefan Berger" <stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
Mimi, dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org
Subject: Re: [RFC PATCH 3/4] Implement driver for supporting multiple emulated TPMs
Date: Wed, 27 Jan 2016 16:58:51 -0500 [thread overview]
Message-ID: <201601272158.u0RLwtmR025106@d03av03.boulder.ibm.com> (raw)
In-Reply-To: <20160127175839.GA31038-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
[-- Attachment #1.1: Type: text/plain, Size: 4495 bytes --]
Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> wrote on 01/27/2016
12:58:39 PM:
>
> On Wed, Jan 27, 2016 at 07:42:17AM -0500, Stefan Berger wrote:
> > What we don't want from the IMA perspective is that someone creates
an
> > IMA namespace on the host similar to how one can create a network
> > namespace (ip netns add ...), runs (malicious) programs under a
> > different IMA policy, and then closes that IMA namespace.
>
> Presumably who ever is implementing IMA namespaces has some kind of
> solution for this though?
>
> That seems like a very difficult problem.
>
> > hand, what we want are containers having their own IMA namespace
with
> > an independent policy. Since the argument is that containers are
well
> > isolated from the host and programs running there don't influence
the
> > host, their logs would be independent. The thing is that containers
are
> > made up of multiple namespaces. So, we likely won't give direct
control
> > over IMA namespace creation through tools like network namespacing
does
> > or even a dedicate clone flag but connect it to one or multiple
> > existing clone flags that cause creation of a (mount, pid, etc.)
> > namespace. So that could mean that if someone creates a mount + pid
> > namespace, and thus is well isolated, he automatically gets an IMA
> > namespace.
>
> That isn't nearly good enough, mount namespaces don't mean you are
> isolated. It isn't until another tool like docker goes through and
> alters the child's mount table that some degree of isolation is
> achieved..
>
> I don't think there is a generic kernel side point where it could tell
> the child is isolated enough. Whatever that means.
I agree. Which set of namespaces is enough for running any program in this
set of namespaces (aka container) and being able to forget about the list
of measurements once the set of namespaces goes away because whatever ran
there couldn't have influenced the host. I would say mount, network, and
user namespace is such a set. Probably also include PID namespace in that
space assuming that in a shared PID namespace one process could signal
other processes. Though this may be mitigated with user namespace mapping
etc.. Not clear about UTS namespace, but may not be so important.
To be on the safe side, maybe all would be required and one gets an IMA
namespace only then.
>
> Doesn't selinux have the exact same problem? How does selinux handle
> namespaces?
They solve it by mounting with a context option, which enforces an sVirt
SELinux label across all files that the container user then cannot change.
tmpfs /dev tmpfs rw,context=
"system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,mode=755 0 0
devpts /dev/pts devpts rw,context=
"system_u:object_r:svirt_sandbox_file_t:s0:c322,c860
",nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0
shm /dev/shm tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,nodev,noexec,relatime,size=65536k
0 0
tmpfs /sys/fs/cgroup tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,nodev,noexec,relatime
0 0
tmpfs /run/secrets tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,nodev,noexec,relatime
0 0
tmpfs /proc/kcore tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,mode=755
0 0
tmpfs /proc/latency_stats tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,mode=755
0 0
tmpfs /proc/timer_stats tmpfs
rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c322,c860",nosuid,mode=755
0 0
>
> > IMA namespacing would then provide less control for users compared
to
> > network namespacing and therefore an ioctl, issued from the
clone()ing
> > process, for IMA+vTPM driver hook-up would be sufficient.
>
> I agree IMA namespaces probably don't need the whole 'ip setns' type
> interface, but realistically if an ioctl is provided to install a TPM
> in a child namespace it should let anyone with privilege in the parent
> namespaces install a TPM in a child IMA namespace, that is just how
> the namespace APIs seem to work.
Agree.
>
> That said, maybe looking at selinux namespaces interaction will give a
> different idea..
See above. We cannot use the same trick.
Stefan
>
> Jason
>
[-- Attachment #1.2: Type: text/html, Size: 5738 bytes --]
[-- Attachment #2: Type: text/plain, Size: 413 bytes --]
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
[-- Attachment #3: Type: text/plain, Size: 192 bytes --]
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
next prev parent reply other threads:[~2016-01-27 21:58 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-14 16:01 [RFC PATCH 0/4] Multi-instance vTPM driver Stefan Berger
[not found] ` <1452787318-29610-1-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-14 16:01 ` [RFC PATCH 1/4] New flags for TPM chip avoiding filesystem registrations Stefan Berger
[not found] ` <1452787318-29610-2-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-21 8:07 ` Jarkko Sakkinen
2016-01-14 16:01 ` [RFC PATCH 2/4] Allow to provide a name pattern of the device Stefan Berger
2016-01-14 16:01 ` [RFC PATCH 3/4] Implement driver for supporting multiple emulated TPMs Stefan Berger
[not found] ` <1452787318-29610-4-git-send-email-stefanb-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2016-01-19 23:51 ` Jason Gunthorpe
[not found] ` <20160119235107.GA4307-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-20 14:39 ` Stefan Berger
[not found] ` <201601201439.u0KEdGB9031710-YREtIfBy6dDImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-27 2:36 ` Jarkko Sakkinen
[not found] ` <20160127023603.GA23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:17 ` Stefan Berger
[not found] ` <201601271217.u0RCHQIX004914@d03av02.boulder.ibm.com>
[not found] ` <201601271217.u0RCHQIX004914-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 14:22 ` Jarkko Sakkinen
[not found] ` <20160127142239.GA3756-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 18:24 ` Jason Gunthorpe
[not found] ` <20160127182448.GA31680-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 21:13 ` Jarkko Sakkinen
2016-01-27 22:38 ` Stefan Berger
[not found] ` <201601271217.u0RCHQkf003637@d03av03.boulder.ibm.com>
[not found] ` <201601271217.u0RCHQkf003637-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 17:35 ` Jason Gunthorpe
[not found] ` <201601201439.u0KEdFao027907@d03av05.boulder.ibm.com>
[not found] ` <201601201439.u0KEdFao027907-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 1:17 ` Jason Gunthorpe
[not found] ` <20160121011701.GA20361-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 3:01 ` Stefan Berger
[not found] ` <201601210301.u0L31hLD018933-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 2:50 ` Jarkko Sakkinen
[not found] ` <20160127025057.GB23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:20 ` Stefan Berger
[not found] ` <201601271220.u0RCKpEG016626@d03av02.boulder.ibm.com>
[not found] ` <201601271220.u0RCKpEG016626-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 14:23 ` Jarkko Sakkinen
[not found] ` <201601210301.u0L31h5r012187@d03av03.boulder.ibm.com>
[not found] ` <201601210301.u0L31h5r012187-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 3:21 ` Jason Gunthorpe
[not found] ` <20160121032115.GA26266-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 3:56 ` Stefan Berger
[not found] ` <201601210356.u0L3uP1n029818@d03av05.boulder.ibm.com>
[not found] ` <201601210356.u0L3uP1n029818-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 17:42 ` Jason Gunthorpe
[not found] ` <20160121174243.GD3064-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 19:02 ` Stefan Berger
[not found] ` <201601211902.u0LJ2LbL001130@d03av01.boulder.ibm.com>
[not found] ` <201601211902.u0LJ2LbL001130-Rn83F4s8Lwc+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 19:30 ` Jason Gunthorpe
[not found] ` <20160121193049.GA31938-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-21 21:51 ` Stefan Berger
[not found] ` <201601212151.u0LLpC93021986@d03av03.boulder.ibm.com>
[not found] ` <201601212151.u0LLpC93021986-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-21 22:10 ` Jason Gunthorpe
[not found] ` <20160121221040.GA1630-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-22 12:01 ` Jarkko Sakkinen
2016-01-22 15:09 ` Stefan Berger
[not found] ` <56A2461C.7030607-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-01-25 18:10 ` Jason Gunthorpe
[not found] ` <20160125181046.GB28108-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 1:05 ` Stefan Berger
2016-01-26 1:46 ` Jarkko Sakkinen
[not found] ` <20160126014652.GB10732-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 3:19 ` Jason Gunthorpe
[not found] ` <20160126031919.GA24217-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 13:56 ` Jarkko Sakkinen
[not found] ` <20160126135658.GA6813-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 17:58 ` Jason Gunthorpe
[not found] ` <20160126175816.GA17937-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 2:06 ` Jarkko Sakkinen
[not found] ` <20160127020617.GB22703-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 19:48 ` Jarkko Sakkinen
[not found] ` <201601260105.u0Q15IWW028777@d03av04.boulder.ibm.com>
[not found] ` <201601260105.u0Q15IWW028777-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-26 3:46 ` Jason Gunthorpe
[not found] ` <20160126034632.GB24217-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 14:21 ` Stefan Berger
2016-02-02 19:22 ` Stefan Berger
[not found] ` <201601261421.u0QELnI3002626@d01av02.pok.ibm.com>
[not found] ` <201601261421.u0QELnI3002626-prK0F/7GlgzImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-26 18:22 ` Jason Gunthorpe
[not found] ` <20160126182248.GB17937-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-26 23:22 ` Stefan Berger
[not found] ` <201601262322.u0QNMo1r022303@d03av03.boulder.ibm.com>
[not found] ` <201601262322.u0QNMo1r022303-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 18:21 ` Jason Gunthorpe
2016-01-27 3:13 ` Jarkko Sakkinen
[not found] ` <20160127031320.GC23863-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-27 12:42 ` Stefan Berger
[not found] ` <201601271242.u0RCgM0E031875@d03av05.boulder.ibm.com>
[not found] ` <201601271242.u0RCgM0E031875-3MP/CPU4Muo+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 17:58 ` Jason Gunthorpe
[not found] ` <20160127175839.GA31038-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 21:58 ` Stefan Berger [this message]
[not found] ` <201601272158.u0RLwvIK005533@d01av01.pok.ibm.com>
[not found] ` <201601272158.u0RLwvIK005533-4ZtxiNBBw+3ImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-27 22:25 ` Jason Gunthorpe
[not found] ` <20160127222534.GB5520-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-27 22:55 ` Stefan Berger
[not found] ` <201601272255.u0RMtuqY014120@d03av02.boulder.ibm.com>
[not found] ` <201601272255.u0RMtuqY014120-nNA/7dmquNI+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-27 23:33 ` Jason Gunthorpe
2016-01-14 16:01 ` [RFC PATCH 4/4] A test program for vTPM device creation Stefan Berger
2016-01-15 10:11 ` [RFC PATCH 0/4] Multi-instance vTPM driver Jarkko Sakkinen
[not found] ` <20160115101146.GA11987-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-15 13:02 ` Stefan Berger
[not found] ` <201601151302.u0FD2wGG003518@d03av03.boulder.ibm.com>
[not found] ` <201601151302.u0FD2wGG003518-MijUUJkLaQs+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-25 23:15 ` Jarkko Sakkinen
[not found] ` <20160125231532.GA10732-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2016-01-26 0:28 ` Stefan Berger
2016-01-26 0:29 ` Jarkko Sakkinen
[not found] ` <201601260029.u0Q0T7Ek004865@d03av04.boulder.ibm.com>
[not found] ` <201601260029.u0Q0T7Ek004865-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-26 1:48 ` Jarkko Sakkinen
2016-01-19 17:44 ` Jason Gunthorpe
[not found] ` <201601191753.u0JHrku2031608@d01av01.pok.ibm.com>
[not found] ` <201601191753.u0JHrku2031608-4ZtxiNBBw+3ImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-19 18:08 ` Jason Gunthorpe
[not found] ` <20160119180802.GA8038-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 18:18 ` Stefan Berger
2016-01-19 22:14 ` Mimi Zohar
[not found] ` <1453241668.2673.31.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2016-01-19 22:48 ` Jason Gunthorpe
[not found] ` <20160119224851.GA31745-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 23:05 ` Stefan Berger
[not found] ` <201601191818.u0JIIExQ010843@d03av04.boulder.ibm.com>
[not found] ` <201601191818.u0JIIExQ010843-2xHzGjyANq4+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-19 23:04 ` Jason Gunthorpe
[not found] ` <20160119230456.GB31745-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 23:15 ` Stefan Berger
[not found] ` <201601192315.u0JNFFG6030371-Rn83F4s8Lwc+UXBhvPuGgqsjOiXwFzmk@public.gmane.org>
2016-01-20 15:40 ` Ken Goldman
[not found] ` <201601192315.u0JNFGkm029862@d01av04.pok.ibm.com>
[not found] ` <201601192315.u0JNFGkm029862-YREtIfBy6dDImUpY6SP3GEEOCMrvLtNR@public.gmane.org>
2016-01-19 23:42 ` Jason Gunthorpe
[not found] ` <20160119174400.GA7616-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-01-19 17:53 ` Stefan Berger
2016-01-19 22:59 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201601272158.u0RLwtmR025106@d03av03.boulder.ibm.com \
--to=stefanb-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=tpmdd-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).