Re: [PATCH v6 17/17] ima: Setup securityfs for IMA namespace

[Stefan Berger]

On 12/15/21 16:31, Mimi Zohar wrote:
> Hi Stefan, James,
>
> On Fri, 2021-12-10 at 14:47 -0500, Stefan Berger wrote:
> > Setup securityfs with symlinks, directories, and files for IMA
> > namespacing support. The same directory structure that IMA uses on the
> > host is also created for the namespacing case.
> >
> > The securityfs file and directory ownerships cannot be set when the
> > IMA namespace is initialized. Therefore, delay the setup of the file
> > system to a later point when securityfs is in securityfs_fill_super.
> >
> > This filesystem can now be mounted as follows:
> >
> > mount -t securityfs /sys/kernel/security/ /sys/kernel/security/
> >
> > The following directories, symlinks, and files are then available.
> >
> > $ ls -l sys/kernel/security/
> > total 0
> > lr--r--r--. 1 root root 0 Dec  2 00:18 ima -> integrity/ima
> > drwxr-xr-x. 3 root root 0 Dec  2 00:18 integrity
> The ima symlink was introduced for backwards compatibilty.  Refer to
> commit 0c343af8065b ("integrity: Add an integrity directory in
> securityfs").  The symlink shouldn't need to be supported in IMA
> namespace.

That's backwards compatibility for applications and scripts. If we want 
to have these running unmodified inside IMA namespaces I think it's 
better to keep the symbolic link and not treat the IMA namespaces any 
different than the host.

   Stefan

> thanks,
>
> Mimi
>
> > $ ls -l sys/kernel/security/ima/
> > total 0
> > -r--r-----. 1 root root 0 Dec  2 00:18 ascii_runtime_measurements
> > -r--r-----. 1 root root 0 Dec  2 00:18 binary_runtime_measurements
> > -rw-------. 1 root root 0 Dec  2 00:18 policy
> > -r--r-----. 1 root root 0 Dec  2 00:18 runtime_measurements_count
> > -r--r-----. 1 root root 0 Dec  2 00:18 violations
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>