[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <edc472a977f40dc254d3cf9c8be5f3a5147f26ad.camel@linux.ibm.com>
Date: Wed, 23 Feb 2022 06:45:43 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Stefan Berger <stefanb@...ux.ibm.com>,
linux-integrity@...r.kernel.org
Cc: serge@...lyn.com, christian.brauner@...ntu.com,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
James Bottomley <James.Bottomley@...senPartnership.com>,
Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v10 23/27] ima: Setup securityfs for IMA namespace
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
> Setup securityfs with symlinks, directories, and files for IMA
> namespacing support. The same directory structure that IMA uses on the
> host is also created for the namespacing case.
>
> The securityfs file and directory ownerships cannot be set when the
> IMA namespace is initialized. Therefore, delay the setup of the file
> system to a later point when securityfs is in securityfs_fill_super.
>
> Introduce a variable ima_policy_removed in ima_namespace that is used to
> remember whether the policy file has previously been removed and thus
> should not be created again in case of unmounting and again mounting
> securityfs inside an IMA namespace.
When the ability of extending the custom IMA policy was added, support
for displaying the policy was added. (Refer to the IMA_READ_POLICY
Kconfig.) This patch set adds support for a user, true root in the
namespace, to be able to write a custom policy. If the
IMA_READ_POLICY is not enabled, then nobody, including host root, will
be able to view it.
Instead of continuing to support not being able to read the IMA policy,
updating the IMA_READ_POLICY Kconfig for the IMA_NS case to require it
seems preferable.
> This filesystem can now be mounted as follows:
>
> mount -t securityfs /sys/kernel/security/ /sys/kernel/security/
>
> The following directories, symlinks, and files are available
> when IMA namespacing is enabled, otherwise it will be empty:
>
> $ ls -l sys/kernel/security/
> total 0
> lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima
> drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity
>
> $ ls -l sys/kernel/security/ima/
> total 0
> -r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements
> -r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements
> -rw-------. 1 root root 0 Dec 2 00:18 policy
> -r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count
> -r--r-----. 1 root root 0 Dec 2 00:18 violations
>
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> Signed-off-by: James Bottomley <James.Bottomley@...senPartnership.com>
> Acked-by: Christian Brauner <brauner@...nel.org>
Otherwise,
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Powered by blists - more mailing lists