| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170725175317.GA727@mail.hallyn.com>
Date: Tue, 25 Jul 2017 12:53:17 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>
Cc: ima-devel <linux-ima-devel@...ts.sourceforge.net>,
containers <containers@...ts.linux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Tycho Andersen <tycho@...ker.com>,
"Serge E . Hallyn" <serge@...lyn.com>,
Yuqiong Sun <sunyuqiong1988@...il.com>,
David Safford <david.safford@...com>,
Mehmet Kayaalp <mkayaalp@...binghamton.edu>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>,
Yuqiong Sun <suny@...ibm.com>
Subject: Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support
On Thu, Jul 20, 2017 at 06:50:29PM -0400, Mehmet Kayaalp wrote:
> From: Yuqiong Sun <suny@...ibm.com>
>
> Add new CONFIG_IMA_NS config option. Let clone() create a new IMA
> namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy.
> ima_ns is allocated and freed upon IMA namespace creation and exit.
> Currently, the ima_ns contains no useful IMA data but only a dummy
> interface. This patch creates the framework for namespacing the different
> aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal).
>
> Signed-off-by: Yuqiong Sun <suny@...ibm.com>
>
> Changelog:
> * Use CLONE_NEWNS instead of a new CLONE_NEWIMA flag
Hi,
So this means that every mount namespace clone will clone a new IMA
namespace. Is that really ok?
Powered by blists - more mailing lists