[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Feb 2022 13:18:54 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Mimi Zohar <zohar@...ux.ibm.com>,
Christian Brauner <brauner@...nel.org>, serge@...lyn.com
Cc: linux-integrity@...r.kernel.org, christian.brauner@...ntu.com,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns
On 2/2/22 11:04, Mimi Zohar wrote:
> On Wed, 2022-02-02 at 09:40 -0500, Stefan Berger wrote:
>> On 2/2/22 09:13, Christian Brauner wrote:
>>> On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
>>>> v10:
>>>> - Added A-b's; addressed issues from v9
>>>> - Added 2 patches to support freeing of iint after namespace deletion
>>>> - Added patch to return error code from securityfs functions
>>>> - Added patch to limit number of policy rules in IMA-ns to 1024
>>> I'm going to go take a lighter touch with this round of reviews.
>>> First, because I have February off. :)
>>> Second, because I think that someone who is more familiar with IMA and
>>> its requirements should take another look to provide input and ask more
>>> questions. Last time I spoke to Serge he did want to give this a longer
>>> look and maybe also has additional questions.
>> The one problem I am seeing is that we probably cannot support auditing
>> in IMA namespaces since every user can now create an IMA namespace.
>> Unless auditing was namespaced, the way it is now gives too much control
>> to the user to flood the host audit log.
> Stefan, we need to differentiate between the different types of audit
> records being produced by IMA. Some of these are informational, like
> the policy rules being loaded or "Time of Measure, Time of Use"
> (ToMToU) records. When we discuss IMA-audit we're referring to the
> file hashes being added in the audit log. These are the result of the
> IMA "audit" policy rules.
>
> How much of these informational messages should be audited in IMA
> namespaces still needs to be discussed. For now, feel free to limit
> the audit messages to just the file hashes.
I doubt we should let a user produce informational audit messages or
audit messages related to file hashes... it's unfortunate, but it opens
a door for abuse.
> thanks,
>
> Mimi
>
Powered by blists - more mailing lists