[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <8d9220d5-2acc-2818-c351-36b369e4b50e@linux.vnet.ibm.com>
Date: Thu, 22 Mar 2018 12:47:14 -0400
From: Stefan Berger <stefanb@...ux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Cc: mkayaalp@...binghamton.edu,
Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>,
sunyuqiong1988@...il.com, containers@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org, david.safford@...com,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, zohar@...ux.vnet.ibm.com
Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support
On 03/15/2018 03:01 PM, James Bottomley wrote:
> On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:
>> On 03/15/2018 02:45 PM, James Bottomley wrote:
> [...]
>>>>> going to need some type of keyring namespace and there's
>>>>> already
>>>>> one hanging off the user_ns:
>>>>>
>>>>> commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
>>>>> Author: David Howells <dhowells@...hat.com>
>>>>> Date: Tue Sep 24 10:35:19 2013 +0100
>>>>>
>>>>> KEYS: Add per-user_namespace registers for persistent
>>>>> per-UID
>>>>> kerberos caches
>>>> The benefit for IMA would be that this would then tie the keys
>>>> needed for appraising to the IMA namespace's policy.
>>>> However, if you have an appraise policy in your IMA namespace,
>>>> which is now hooked to the user namespace, and you join that user
>>>> namespace but your files don't have signatures, nothing will
>>>> execute anymore. That's now a side effect of joining this user
>>>> namespace unless we have a magic exception. My feeling is,
>>>> people may not like that...
>>> Agree, but I think the magic might be to populate the ima keyring
>>> with the parent on user_ns creation. That way the user_ns owner
>>> can delete the parent keys if they don't like them, but by default
>>> the parent appraisal policy should just work.
>> That may add keys to your keyring but doesn't get you signatures on
>> your files.
> But it doesn't need to. The only way we'd get a failure is if the file
> is already being appraised and we lose access to the key. If the
> parent policy isn't appraisal, entering the IMA NS won't cause
> appraisal to be turned on unless the owner asks for it, in which case
> it's caveat emptor: As it works today, if as root I add a default
> appraisal policy to IMA without either a key or xattrs, I get an
> unusable system.
When I post a next implementation for the spawning if an IMA namespace,
what shall be the criterion for accepting it?
Stefan
>
> James
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Powered by blists - more mailing lists