Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

[Stefan Berger]

On 03/15/2018 03:20 PM, Eric W. Biederman wrote:
> Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> writes:
>
> > On 03/15/2018 03:01 PM, James Bottomley wrote:
> > > On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:
> > > > On 03/15/2018 02:45 PM, James Bottomley wrote:
> > > [...]
> > > > > > > going to need some type of keyring namespace and there's
> > > > > > > already
> > > > > > > one hanging off the user_ns:
> > > > > > >
> > > > > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
> > > > > > > Author: David Howells <dhowells@xxxxxxxxxx>
> > > > > > > Date:   Tue Sep 24 10:35:19 2013 +0100
> > > > > > >
> > > > > > >         KEYS: Add per-user_namespace registers for persistent
> > > > > > > per-UID
> > > > > > > kerberos caches
> > > > > > The benefit for IMA would be that this would then tie the keys
> > > > > > needed for appraising to the IMA namespace's policy.
> > > > > > However, if you have an appraise policy in your IMA namespace,
> > > > > > which is now hooked to the user namespace, and you join that user
> > > > > > namespace but your files don't have signatures, nothing will
> > > > > > execute anymore. That's now a side effect of joining this user
> > > > > > namespace unless we have a magic  exception. My feeling is,
> > > > > > people may not like that...
> > > > > Agree, but I think the magic might be to populate the ima keyring
> > > > > with the parent on user_ns creation.  That way the user_ns owner
> > > > > can delete the parent keys if they don't like them, but by default
> > > > > the parent appraisal policy should just work.
> > > > That may add keys to your keyring but doesn't get you signatures on
> > > > your  files.
> > > But it doesn't need to.  The only way we'd get a failure is if the file
> > > is already being appraised and we lose access to the key.  If the
> > Well, the configuration I talked about above was assuming that we have
> > an appraisal policy active in the IMA namespace, which is now tied to
> > the user namespace that was just joined.
> >
> > If we are fine with the side effects of an IMA policy active as part
> > of a user namespace then let's go with it. The side effects in case of
> > an active IMA appraisal may then be that files cannot be
> > read/accessed, or file measurements or IMA auditing may occur.
> >
> > The alternative is we have an independent IMA namespace. If one joins
> > the USER namespace and there are no IMA-related side effects. If one
> > joins the IMA namespace its IMA policy should start being enforced. If
> > the current active USER namespace has the keys that go with the
> > signatures of the filesystem, then we're fine from the appraisal
> > perspective. If not, then IMA namespace joining may prevent file
> > accesses.
> >
> > > parent policy isn't appraisal, entering the IMA NS won't cause
> > Why parent policy? The policy of the namespace that was joined should
> > be the active one, no ?
> Unless I am completely blind we should never stop enforcing the parent's
> polciy.  We should only add policy to enforce for the scope of a
> container.

What we want is an independent policy for each IMA namespace.

What we don't want is that root can abuse his power to spawn new 
namespaces and circumvent a file appraisal policy on the host (in 
init_ima_ns). Because of that root's activities are subject to the IMA 
policy of the currently active IMA namespace and the one of init_ima_ns 
(and possibly all the ones in between). If root is working in a child 
IMA namespace and file appraisal fails due to the policy in init_ima_ns 
and keys found in .ima or _ima keyrings attached to init_user_ns, the 
file access will be denied.

Besides that root's activities will always be measured and audited 
following the policy in init_ima_ns. This tries to prevent that root 
spawns an IMA namespace with a NULL policy and does things in the TCB 
and tries to escape the logging.

> In practice this is just the containers policy as the container is most
> likely a do whatever you want to in the parent policy.  But not always
> and not explicitly.
>
> Mount namespaces are not hierarchical, user namespaces are.  Which makes
> them much more appropriate for being part of nested policy enforcement.

We don't want additive or hierarchical policies - at least I don't. They 
should be independent. Only exception are activities of root that are 
always iteratively evaluated against policies of the current IMA NS and 
the init_ima_ns and possibly all the ones in between.

>  From previous conversations I remember that there is a legitimate
> bootstrap problem for IMA.  That needs to be looked at, and I am not
> seeing that mentioned.

IMA's log should not have a gap. So ideally we shouldn't have to write 
something into sysfs to spawn a new IMA namespace so that we don't miss 
whatever setup may have happened to get there, including the writing 
into procfs. IMA should be there right from the start. So a clone flag 
would be ideal for that.

> Eric
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html