lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170725190406.GA1883@mail.hallyn.com>
Date:   Tue, 25 Jul 2017 14:04:06 -0500
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     James Bottomley <James.Bottomley@...senPartnership.com>
Cc:     "Serge E. Hallyn" <serge@...lyn.com>,
        Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>,
        Mehmet Kayaalp <mkayaalp@...binghamton.edu>,
        Yuqiong Sun <sunyuqiong1988@...il.com>,
        containers <containers@...ts.linux-foundation.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        David Safford <david.safford@...com>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        ima-devel <linux-ima-devel@...ts.sourceforge.net>,
        Yuqiong Sun <suny@...ibm.com>
Subject: Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support

On Tue, Jul 25, 2017 at 11:49:14AM -0700, James Bottomley wrote:
> On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote:
> > On Thu, Jul 20, 2017 at 06:50:29PM -0400, Mehmet Kayaalp wrote:
> > > 
> > > From: Yuqiong Sun <suny@...ibm.com>
> > > 
> > > Add new CONFIG_IMA_NS config option.  Let clone() create a new IMA
> > > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in
> > > nsproxy.
> > > ima_ns is allocated and freed upon IMA namespace creation and exit.
> > > Currently, the ima_ns contains no useful IMA data but only a dummy
> > > interface. This patch creates the framework for namespacing the
> > > different
> > > aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal).
> > > 
> > > Signed-off-by: Yuqiong Sun <suny@...ibm.com>
> > > 
> > > Changelog:
> > > * Use CLONE_NEWNS instead of a new CLONE_NEWIMA flag
> > 
> > Hi,
> > 
> > So this means that every mount namespace clone will clone a new IMA
> > namespace.  Is that really ok?
> 
> Based on what: space concerns (struct ima_ns is reasonably small)? or
> whether tying it to the mount namespace is the correct thing to do.  On

Mostly the latter.  The other would be not so much space concerns as
time concerns.  Many things use new mounts namespaces, and we wouldn't
want multiple IMA calls on all file accesses by all of those.

> the latter, it does seem that this should be a property of either the
> mount or user ns rather than its own separate ns.  I could see a use
> where even a container might want multiple ima keyrings within the
> container (say containerised apache service with multiple tenants), so
> instinct tells me that mount ns is the correct granularity for this.

I wonder whether we could use echo 1 > /sys/kernel/security/ima/newns as
the trigger for requesting a new ima ns on the next clone(CLONE_NEWNS).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ