Re: [PATCH v2] xattr: Enable security.capability in user namespaces

From: Mimi Zohar
Date: Wed Jul 26 2017 - 09:58:10 EST

Next message: Arnd Bergmann: "[PATCH RESEND] fbdev: omapfb: remove unused variable"
Previous message: Michal Hocko: "Re: [v4 1/4] mm, oom: refactor the TIF_MEMDIE usage"
In reply to: Serge E. Hallyn: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote:
> On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > > Which brings us to the semantic question of would it be nice to have
> > > stacked IMA/EVM on the same file.
> > >
> > > I really don't think we do. I think allowing multiple keys for
> > > different part of trusting files is easy enough that we should have no
> > > need to fight over which keys do which.
> >
> > We definitely want to support different policies on the native and in
> > the namespace with different keys and keyrings.
>
> Ok, so Stefan's code to support userspace in a container reading
> security.ima and getting back the value for security.ima@uid=1000
> (if 1000 is the kuid of the container's root user) is in fact
> useful to IMA?

Definitely! ÂRoot within the namespace needs to be able to read and
write security.ima in order to (re)sign files, with a specific key
known to that container. ÂStefan's code provides different views of
the security xattrs.

Mimi

Next message: Arnd Bergmann: "[PATCH RESEND] fbdev: omapfb: remove unused variable"
Previous message: Michal Hocko: "Re: [v4 1/4] mm, oom: refactor the TIF_MEMDIE usage"
In reply to: Serge E. Hallyn: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]