lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 11 Dec 2021 10:38:11 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     "Serge E. Hallyn" <serge@...lyn.com>,
        Denis Semakin <denis.semakin@...wei.com>
Cc:     "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
        "christian.brauner@...ntu.com" <christian.brauner@...ntu.com>,
        "containers@...ts.linux.dev" <containers@...ts.linux.dev>,
        "dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
        "ebiederm@...ssion.com" <ebiederm@...ssion.com>,
        Krzysztof Struczynski <krzysztof.struczynski@...wei.com>,
        Roberto Sassu <roberto.sassu@...wei.com>,
        "mpeters@...hat.com" <mpeters@...hat.com>,
        "lhinds@...hat.com" <lhinds@...hat.com>,
        "lsturman@...hat.com" <lsturman@...hat.com>,
        "puiterwi@...hat.com" <puiterwi@...hat.com>,
        "jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
        "jamjoom@...ibm.com" <jamjoom@...ibm.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "paul@...l-moore.com" <paul@...l-moore.com>,
        "rgb@...hat.com" <rgb@...hat.com>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "jmorris@...ei.org" <jmorris@...ei.org>
Subject: Re: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check
 corresponding capability


On 12/11/21 10:02, Serge E. Hallyn wrote:
> IMO yes it is unsafe, however I concede that I am not sufficiently familiar
> with the policy language.  At least Stefan and Mimi (IIUC) want the host
> policy language to be able to specify cases where an IMA ns can be
> configured.  What's not clear to me is what sorts of triggers the host
> IMA policy could specify that would safely identify a IMA ns generation
> trigger.
>
> Stefan, would you mind showing what such a policy statement would look like?
> Does it amount to "/usr/bin/runc may create an IMA ns which escapes current
> policy" ?  Or is it by UID, or any file which has a certain xattr on it?

If this policy here is active on the host then file executions 
(BPRM_CHECK) of uid=0 should be measured and audited on the host in any 
IMA namespace that uid=0 may create. We achieve this with hierarchical 
processing (v6: 10/17).

measure func=BPRM_CHECK mask=MAY_EXEC uid=0

audit func=BPRM_CHECK mask=MAY_EXEC uid=0

    Stefan


>
> -serge
>
> On Thu, Dec 09, 2021 at 08:09:20AM +0000, Denis Semakin wrote:
>> Following that thoughts...
>> Will it be so incorrectly to unbound IMA-ns from USER-ns?
>> I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
>> How userland supposed to use current IMA-ns implementation?
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Denis Semakin
>> Sent: Thursday, December 9, 2021 10:22 AM
>> To: 'Stefan Berger' <stefanb@...ux.ibm.com>; linux-integrity@...r.kernel.org
>> Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org
>> Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Hi.
>> My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces...
>> Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
>> Looks like currently IMA-ns will not be applicable for Kubernetes.
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Stefan Berger [mailto:stefanb@...ux.ibm.com]
>> Sent: Thursday, December 9, 2021 1:18 AM
>> To: linux-integrity@...r.kernel.org
>> Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org; Stefan Berger <stefanb@...ux.ibm.com>; Denis Semakin <denis.semakin@...wei.com>
>> Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
>>
>> Signed-off-by: Denis Semakin <denis.semakin@...wei.com>
>> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
>> ---
>>   include/linux/capability.h      | 6 ++++++
>>   security/integrity/ima/ima_fs.c | 2 +-
>>   2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
>> --- a/include/linux/capability.h
>> +++ b/include/linux/capability.h
>> @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
>>   		ns_capable(ns, CAP_SYS_ADMIN);
>>   }
>>   
>> +static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
>> +	return ns_capable(ns, CAP_MAC_ADMIN) ||
>> +		ns_capable(ns, CAP_SYS_ADMIN);
>> +}
>> +
>>   /* audit system wants to get cap info from files as well */  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
>>   			   const struct dentry *dentry,
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)  #else
>>   		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
>>   			return -EACCES;
>> -		if (!capable(CAP_SYS_ADMIN))
>> +		if (!mac_admin_ns_capable(ns->user_ns))
>>   			return -EPERM;
>>   		return seq_open(filp, &ima_policy_seqops);  #endif
>> --
>> 2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ