lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 2 Feb 2022 09:40:24 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Christian Brauner <brauner@...nel.org>, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
        christian.brauner@...ntu.com, containers@...ts.linux.dev,
        dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
        krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
        mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
        puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
        linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns


On 2/2/22 09:13, Christian Brauner wrote:
> On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
>>
>> v10:
>>   - Added A-b's; addressed issues from v9
>>   - Added 2 patches to support freeing of iint after namespace deletion
>>   - Added patch to return error code from securityfs functions
>>   - Added patch to limit number of policy rules in IMA-ns to 1024
> I'm going to go take a lighter touch with this round of reviews.
> First, because I have February off. :)
> Second, because I think that someone who is more familiar with IMA and
> its requirements should take another look to provide input and ask more
> questions. Last time I spoke to Serge he did want to give this a longer
> look and maybe also has additional questions.

The one problem I am seeing is that we probably cannot support auditing 
in IMA namespaces since every user can now create an IMA namespace. 
Unless auditing was namespaced, the way it is now gives too much control 
to the user to flood the host audit log. So, we may need to head towards 
support for IMA measurements in the IMA namespace right away and not 
support audit rules but also possibly eliminate other actions that are 
being audited by IMA to not occur while an IMA namespace is active, such 
as when policy rules are being set etc. Not supporting auditing in 
IMA-ns affects only few of the patches in this series. We need most of 
them for a basis of IMA measurements but to get to IMA measurements 
along with support for inheritance and configuration of hash algorithm 
and log template etc. to use in the IMA namespace and set it in its 
configuration 'stage' (before activation), we will need at least 25 more 
patches on top of what have here now... so this series will then be 
around 50 patches.

    Stefan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ