lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Mar 2018 12:01:07 -0700
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     mkayaalp@...binghamton.edu,
        Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>,
        sunyuqiong1988@...il.com, containers@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org, david.safford@...com,
        linux-security-module@...r.kernel.org,
        linux-integrity@...r.kernel.org, zohar@...ux.vnet.ibm.com
Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace
 support

On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:
> On 03/15/2018 02:45 PM, James Bottomley wrote:
[...]
> > > > going to need some type of keyring namespace and there's
> > > > already
> > > > one hanging off the user_ns:
> > > > 
> > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
> > > > Author: David Howells <dhowells@...hat.com>
> > > > Date:   Tue Sep 24 10:35:19 2013 +0100
> > > > 
> > > >       KEYS: Add per-user_namespace registers for persistent
> > > > per-UID
> > > > kerberos caches
> > > The benefit for IMA would be that this would then tie the keys
> > > needed for appraising to the IMA namespace's policy.
> > > However, if you have an appraise policy in your IMA namespace,
> > > which is now hooked to the user namespace, and you join that user
> > > namespace but your files don't have signatures, nothing will
> > > execute anymore. That's now a side effect of joining this user
> > > namespace unless we have a magic  exception. My feeling is,
> > > people may not like that...
> > Agree, but I think the magic might be to populate the ima keyring
> > with the parent on user_ns creation.  That way the user_ns owner
> > can delete the parent keys if they don't like them, but by default
> > the parent appraisal policy should just work.
> 
> That may add keys to your keyring but doesn't get you signatures on
> your  files.

But it doesn't need to.  The only way we'd get a failure is if the file
is already being appraised and we lose access to the key.  If the
parent policy isn't appraisal, entering the IMA NS won't cause
appraisal to be turned on unless the owner asks for it, in which case
it's caveat emptor: As it works today, if as root I add a default
appraisal policy to IMA without either a key or xattrs, I get an
unusable system.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ