Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

From: Stefan Berger
Date: Thu Mar 22 2018 - 12:47:28 EST

Next message: Yang Shi: "Re: [RFC PATCH 1/8] mm: mmap: unmap large mapping by section"
Previous message: Guenter Roeck: "Re: [PATCH] watchdog: booke_wdt: Disable the watchdog prior to setting a new timeout value in order to avoid the following situation"
In reply to: Mimi Zohar: "Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 03/15/2018 03:01 PM, James Bottomley wrote:

On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote:

On 03/15/2018 02:45 PM, James Bottomley wrote:

[...]

going to need some type of keyring namespace and there's
already
one hanging off the user_ns:

commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
Author: David Howells <dhowells@xxxxxxxxxx>
Date: Tue Sep 24 10:35:19 2013 +0100

KEYS: Add per-user_namespace registers for persistent
per-UID
kerberos caches

The benefit for IMA would be that this would then tie the keys
needed for appraising to the IMA namespace's policy.
However, if you have an appraise policy in your IMA namespace,
which is now hooked to the user namespace, and you join that user
namespace but your files don't have signatures, nothing will
execute anymore. That's now a side effect of joining this user
namespace unless we have a magic exception. My feeling is,
people may not like that...

Agree, but I think the magic might be to populate the ima keyring
with the parent on user_ns creation. That way the user_ns owner
can delete the parent keys if they don't like them, but by default
the parent appraisal policy should just work.

That may add keys to your keyring but doesn't get you signatures on
your files.

But it doesn't need to. The only way we'd get a failure is if the file
is already being appraised and we lose access to the key. If the
parent policy isn't appraisal, entering the IMA NS won't cause
appraisal to be turned on unless the owner asks for it, in which case
it's caveat emptor: As it works today, if as root I add a default
appraisal policy to IMA without either a key or xattrs, I get an
unusable system.

When I post a next implementation for the spawning if an IMA namespace, what shall be the criterion for accepting it?

Stefan

James

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html

Next message: Yang Shi: "Re: [RFC PATCH 1/8] mm: mmap: unmap large mapping by section"
Previous message: Guenter Roeck: "Re: [PATCH] watchdog: booke_wdt: Disable the watchdog prior to setting a new timeout value in order to avoid the following situation"
In reply to: Mimi Zohar: "Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]