| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Sep 2022 09:20:55 -0400
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Casey Schaufler <casey@...aufler-ca.com>,
linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com, brauner@...nel.org,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
jpenumak@...hat.com
Subject: Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns
On 9/16/22 06:54, Stefan Berger wrote:
>
>
> On 9/15/22 20:56, Casey Schaufler wrote:
>> On 9/15/2022 12:31 PM, Stefan Berger wrote:
>>> The goal of this series of patches is to start with the namespacing of
>>> IMA and support auditing within an IMA namespace (IMA-ns) as the first
>>> step.
>>>
>>> In this series the IMA namespace is piggybacking on the user namespace
>>> and therefore an IMA namespace is created when a user namespace is
>>> created, although this is done late when SecurityFS is mounted inside
>>> a user namespace. The advantage of piggybacking on the user namespace
>>> is that the user namespace can provide the keys infrastructure that IMA
>>> appraisal support will need later on.
>>>
>>> We chose the goal of supporting auditing within an IMA namespace
>>> since it
>>> requires the least changes to IMA. Following this series, auditing
>>> within
>>> an IMA namespace can be activated by a root running the following lines
>>> that rely on a statically linked busybox to be installed on the host for
>>> execution within the minimal container environment:
>>>
>>> As root (since audit rules may now only be set by root):
>>
>> How about calling out the required capabilities? You don't need
>> to be root, you need a specific set of capabilities. It would be
>> very useful for the purposes of understanding the security value
>> of the patch set to know this.
>>
> CAP_AUDIT_WRITE?
>
Currently the capabilities that are required are CAP_SYS_ADMIN, which I
could change to CAP_AUDIT_WRITE. This would result in the following
change to 26/26:
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 760e79bb5a34..40cd19d38f23 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1396,15 +1396,15 @@ static unsigned int
ima_parse_appraise_algos(char *arg)
}
/*
- * Either host root with CAP_SYS_ADMIN in current user namespace or
- * root with CAP_SYS_ADMIN on the host entering a namespace may set
+ * Either host root with CAP_AUDIT_WRITE in current user namespace or
+ * root with CAP_AUDIT_WRITE on the host entering a namespace may set
* audit rules inside a namespace.
*/
static bool may_set_audit_rule_in_ns(kuid_t uid, struct user_namespace
*user_ns)
{
return (uid_eq(uid, GLOBAL_ROOT_UID) &&
- ns_capable(user_ns, CAP_SYS_ADMIN))
- || capable(CAP_SYS_ADMIN);
+ ns_capable(user_ns, CAP_AUDIT_WRITE))
+ || capable(CAP_AUDIT_WRITE);
}
static int ima_parse_rule(struct user_namespace *user_ns,
char *rule, struct ima_rule_entry *entry)
What this check is to prevent is that non-root users spawn a user
namespace and set IMA-audit rules which enables them to flood the audit
log. From what I see non-root users have the full capability set in a
user namespace they spawn. So it has to be filtered to root maybe with
CAP_SYS_WRITE instead of CAP_SYS_ADMIN.
Powered by blists - more mailing lists