[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7a914d80-db7c-cdd9-358a-97138ec6d750@linux.ibm.com>
Date: Sat, 11 Dec 2021 10:38:11 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: "Serge E. Hallyn" <serge@...lyn.com>,
Denis Semakin <denis.semakin@...wei.com>
Cc: "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
"zohar@...ux.ibm.com" <zohar@...ux.ibm.com>,
"christian.brauner@...ntu.com" <christian.brauner@...ntu.com>,
"containers@...ts.linux.dev" <containers@...ts.linux.dev>,
"dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
"ebiederm@...ssion.com" <ebiederm@...ssion.com>,
Krzysztof Struczynski <krzysztof.struczynski@...wei.com>,
Roberto Sassu <roberto.sassu@...wei.com>,
"mpeters@...hat.com" <mpeters@...hat.com>,
"lhinds@...hat.com" <lhinds@...hat.com>,
"lsturman@...hat.com" <lsturman@...hat.com>,
"puiterwi@...hat.com" <puiterwi@...hat.com>,
"jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
"jamjoom@...ibm.com" <jamjoom@...ibm.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"paul@...l-moore.com" <paul@...l-moore.com>,
"rgb@...hat.com" <rgb@...hat.com>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"jmorris@...ei.org" <jmorris@...ei.org>
Subject: Re: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check
corresponding capability
On 12/11/21 10:02, Serge E. Hallyn wrote:
> IMO yes it is unsafe, however I concede that I am not sufficiently familiar
> with the policy language. At least Stefan and Mimi (IIUC) want the host
> policy language to be able to specify cases where an IMA ns can be
> configured. What's not clear to me is what sorts of triggers the host
> IMA policy could specify that would safely identify a IMA ns generation
> trigger.
>
> Stefan, would you mind showing what such a policy statement would look like?
> Does it amount to "/usr/bin/runc may create an IMA ns which escapes current
> policy" ? Or is it by UID, or any file which has a certain xattr on it?
If this policy here is active on the host then file executions
(BPRM_CHECK) of uid=0 should be measured and audited on the host in any
IMA namespace that uid=0 may create. We achieve this with hierarchical
processing (v6: 10/17).
measure func=BPRM_CHECK mask=MAY_EXEC uid=0
audit func=BPRM_CHECK mask=MAY_EXEC uid=0
Stefan
>
> -serge
>
> On Thu, Dec 09, 2021 at 08:09:20AM +0000, Denis Semakin wrote:
>> Following that thoughts...
>> Will it be so incorrectly to unbound IMA-ns from USER-ns?
>> I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
>> How userland supposed to use current IMA-ns implementation?
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Denis Semakin
>> Sent: Thursday, December 9, 2021 10:22 AM
>> To: 'Stefan Berger' <stefanb@...ux.ibm.com>; linux-integrity@...r.kernel.org
>> Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org
>> Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Hi.
>> My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces...
>> Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
>> Looks like currently IMA-ns will not be applicable for Kubernetes.
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Stefan Berger [mailto:stefanb@...ux.ibm.com]
>> Sent: Thursday, December 9, 2021 1:18 AM
>> To: linux-integrity@...r.kernel.org
>> Cc: zohar@...ux.ibm.com; serge@...lyn.com; christian.brauner@...ntu.com; containers@...ts.linux.dev; dmitry.kasatkin@...il.com; ebiederm@...ssion.com; Krzysztof Struczynski <krzysztof.struczynski@...wei.com>; Roberto Sassu <roberto.sassu@...wei.com>; mpeters@...hat.com; lhinds@...hat.com; lsturman@...hat.com; puiterwi@...hat.com; jejb@...ux.ibm.com; jamjoom@...ibm.com; linux-kernel@...r.kernel.org; paul@...l-moore.com; rgb@...hat.com; linux-security-module@...r.kernel.org; jmorris@...ei.org; Stefan Berger <stefanb@...ux.ibm.com>; Denis Semakin <denis.semakin@...wei.com>
>> Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
>>
>> Signed-off-by: Denis Semakin <denis.semakin@...wei.com>
>> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
>> ---
>> include/linux/capability.h | 6 ++++++
>> security/integrity/ima/ima_fs.c | 2 +-
>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
>> --- a/include/linux/capability.h
>> +++ b/include/linux/capability.h
>> @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
>> ns_capable(ns, CAP_SYS_ADMIN);
>> }
>>
>> +static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
>> + return ns_capable(ns, CAP_MAC_ADMIN) ||
>> + ns_capable(ns, CAP_SYS_ADMIN);
>> +}
>> +
>> /* audit system wants to get cap info from files as well */ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
>> const struct dentry *dentry,
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp) #else
>> if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
>> return -EACCES;
>> - if (!capable(CAP_SYS_ADMIN))
>> + if (!mac_admin_ns_capable(ns->user_ns))
>> return -EPERM;
>> return seq_open(filp, &ima_policy_seqops); #endif
>> --
>> 2.31.1
Powered by blists - more mailing lists