lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 23 Feb 2022 12:04:10 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     serge@...lyn.com, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v10 26/27] ima: Limit number of policy rules in
 non-init_ima_ns

On Wed, 2022-02-23 at 11:37 -0500, Stefan Berger wrote:
> On 2/23/22 10:38, Mimi Zohar wrote:
> > On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
> >> Limit the number of policy rules one can set in non-init_ima_ns to a
> >> hardcoded 1024 rules. If the user attempts to exceed this limit by
> >> setting too many additional rules, emit an audit message with the cause
> >> 'too-many-rules' and simply ignore the newly added rules.
> > This paragraph describes 'what' you're doing, not 'why'.  Please prefix
> > this paragraph with a short, probably one sentence, reason for the
> > change.
> >> Switch the accounting for the memory allocated for IMA policy rules to
> >> GFP_KERNEL_ACCOUNT so that cgroups kernel memory accounting takes effect.
> > Does this change affect the existing IMA policy rules for init_ima_ns?
> 
> There's typically no cgroup for the int_ima_ns, so not effect on 
> init_ima_ns.
> 
> Here's the updated text:
> 
> Limit the number of policy rules one can set in non-init_ima_ns to a
> hardcoded 1024 rules to restrict the amount of memory used for IMA's
> policy.

The question is "why" there should be a difference between the
init_ima_ns and non-init_ima_ns cases.  Perhaps something like, "Only
host root with CAP_SYS_ADMIN may write init_ima_ns policy rules, but in
the non-init_ima_ns case root in the namespace with CAP_MAC_ADMIN
privileges may write IMA policy rules.  Limit the total number of IMA
policy rules per namespace."

>  Ignore the added rules if the user attempts to exceed this
> limit by setting too many additional rules.
> 
> Switch the accounting for the memory allocated for IMA policy rules to
> GFP_KERNEL_ACCOUNT so that cgroups kernel memory accounting takes effect.
> This switch has no effect on the init_ima_ns.

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ