[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d41434d2-150a-1e4e-8b40-73fe5c834e97@linux.ibm.com>
Date: Wed, 26 Jan 2022 11:52:35 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>,
linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns
On 1/25/22 17:46, Stefan Berger wrote:
> From: Stefan Berger <stefanb@...ux.ibm.com>
>
> The goal of this series of patches is to start with the namespacing of
> IMA and support auditing within an IMA namespace (IMA-ns) as the first
> step.
[...]
>
>
> My tree with these patches is here:
>
> git fetch https://github.com/stefanberger/linux-ima-namespaces v5.16+imans.v9.posted
Thanks a lot for the first round of Ack's, Christian. I haven't looked
through all the comments, yet, though.
If one pulls this branch one will see that there's a directory STAGE3.
This is where I have been storing patches that explore how deep the can
is that we are opening here. So yeah, it's pretty deep... In my latest
branch I now have 40 patches beyond what we have here that add IMA
-measurement support, inheritance of hash algo and IMA template from
parent to child, and IMA-appraisal to the IMA namespaces but it doesn't
tackle yet all of the issues. At some point it pulls in integrity and
EVM for namespacing as well... All 'dimensions of this problem' look
good but the patches there are not as clean as we have them here right
now. So considering the depth of the problem this may take a while...
I also have a test suite just for IMA namespacing that tests IMA-audit
in IMA-ns and these upcoming aspects and try to test a lot of things
with running many namespace in parallel to test the locking. I run
certain tests with up to 1920 namespaces concurrently and so far it's
been good, especially with the lock groups from v9 18/23. So don't shake
that tree there too hard.
https://github.com/stefanberger/ima-namespaces-tests
The test suite should be able to skip any tests for which there's no
support in Linux. So with this series applied the audit related tests
should all work.
You can check out the test suite but you may need to move along with my
Linux patch branches as I update the test suite. The problem is of
course that design changes in Linux patches affect the test suite. So
this may cause hiccups. And I have been using forced-updates to solve
this issue... The tests have been working on Fedora 34 x86 and ppc64.
The unshare tool on Ubuntu 20.04 seems to be too old to run certain
tests correctly.
Cheers!
Stefan
Powered by blists - more mailing lists