lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d41434d2-150a-1e4e-8b40-73fe5c834e97@linux.ibm.com>
Date:   Wed, 26 Jan 2022 11:52:35 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     zohar@...ux.ibm.com, serge@...lyn.com,
        christian.brauner@...ntu.com, containers@...ts.linux.dev,
        dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
        krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
        mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
        puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
        linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns


On 1/25/22 17:46, Stefan Berger wrote:
> From: Stefan Berger <stefanb@...ux.ibm.com>
>
> The goal of this series of patches is to start with the namespacing of
> IMA and support auditing within an IMA namespace (IMA-ns) as the first
> step.
[...]
>
>
> My tree with these patches is here:
>
> git fetch https://github.com/stefanberger/linux-ima-namespaces v5.16+imans.v9.posted

Thanks a lot for the first round of Ack's, Christian. I haven't looked 
through all the comments, yet, though.

If one pulls this branch one will see that there's a directory STAGE3. 
This is where I have been storing patches that explore how deep the can 
is that we are opening here. So yeah, it's pretty deep... In my latest 
branch I now have 40 patches beyond what we have here that add IMA 
-measurement support, inheritance of hash algo and IMA template from 
parent to child, and IMA-appraisal to the IMA namespaces but it doesn't 
tackle yet all of the issues. At some point it pulls in integrity and 
EVM for namespacing as well... All 'dimensions of this problem' look 
good but the patches there are not as clean as we have them here right 
now. So considering the depth of the problem this may take a while...

I also have a test suite just for IMA namespacing that tests IMA-audit 
in IMA-ns and these upcoming aspects and try to test a lot of things 
with running many namespace in parallel to test the locking. I run 
certain tests with up to 1920 namespaces concurrently and so far it's 
been good, especially with the lock groups from v9 18/23. So don't shake 
that tree there too hard.

https://github.com/stefanberger/ima-namespaces-tests

The test suite should be able to skip any tests for which there's no 
support in Linux. So with this series applied the audit related tests 
should all work.

You can check out the test suite but you may need to move along with my 
Linux patch branches as I update the test suite. The problem is of 
course that design changes in Linux patches affect the test suite. So 
this may cause hiccups. And I have been using forced-updates to solve 
this issue... The tests have been working on Fedora 34 x86 and ppc64. 
The unshare tool on Ubuntu 20.04 seems to be too old to run certain 
tests correctly.

Cheers!

    Stefan


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ