| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1523636702.3272.63.camel@linux.vnet.ibm.com>
Date: Fri, 13 Apr 2018 12:25:02 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc: linux-integrity@...r.kernel.org,
containers@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, tycho@...ker.com,
serge@...lyn.com, sunyuqiong1988@...il.com, david.safford@...com,
mkayaalp@...binghamton.edu, James.Bottomley@...senPartnership.com,
Yuqiong Sun <suny@...ibm.com>,
Mehmet Kayaalp <mkayaalp@...ux.vnet.ibm.com>,
John Johansen <john.johansen@...onical.com>
Subject: Re: [RFC PATCH v3 1/3] ima: extend clone() with IMA namespace
support
[Cc'ing John Johansen]
On Tue, 2018-03-27 at 18:01 -0500, Eric W. Biederman wrote:
[...]
> As such I expect the best way to create the ima namespace is by simply
> writing to securityfs/imafs. Possibly before the user namespace is
> even unshared. That would allow IMA to keep track of things from
> before a container is created.
My initial thought was to stage IMA namespacing with just IMA-audit
first, followed by either IMA-measurement or IMA-appraisal. This
would allow us to get the basic IMA namespacing framework working and
defer dealing with the securityfs related namespacing of the IMA
policy and measurement list issues to later.
By tying IMA namespacing to a securityfs ima/unshare file, we would
need to address the securityfs issues first.
Mimi
Powered by blists - more mailing lists