Re: [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns

From: Stefan Berger
Date: Wed Jan 26 2022 - 11:52:59 EST

Next message: Yang Shi: "Re: [v2 PATCH] fs/proc: task_mmu.c: don't read mapcount for migration entry"
Previous message: Manfred Spraul: "Re: [PATCH] To fix the below failure of handling page fault caused by the invalid input from user."
In reply to: Stefan Berger: "Re: [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/25/22 17:46, Stefan Berger wrote:

From: Stefan Berger <stefanb@xxxxxxxxxxxxx>

The goal of this series of patches is to start with the namespacing of
IMA and support auditing within an IMA namespace (IMA-ns) as the first
step.

[...]

My tree with these patches is here:

git fetch https://github.com/stefanberger/linux-ima-namespaces v5.16+imans.v9.posted

Thanks a lot for the first round of Ack's, Christian. I haven't looked through all the comments, yet, though.

If one pulls this branch one will see that there's a directory STAGE3. This is where I have been storing patches that explore how deep the can is that we are opening here. So yeah, it's pretty deep... In my latest branch I now have 40 patches beyond what we have here that add IMA -measurement support, inheritance of hash algo and IMA template from parent to child, and IMA-appraisal to the IMA namespaces but it doesn't tackle yet all of the issues. At some point it pulls in integrity and EVM for namespacing as well... All 'dimensions of this problem' look good but the patches there are not as clean as we have them here right now. So considering the depth of the problem this may take a while...

I also have a test suite just for IMA namespacing that tests IMA-audit in IMA-ns and these upcoming aspects and try to test a lot of things with running many namespace in parallel to test the locking. I run certain tests with up to 1920 namespaces concurrently and so far it's been good, especially with the lock groups from v9 18/23. So don't shake that tree there too hard.

https://github.com/stefanberger/ima-namespaces-tests

The test suite should be able to skip any tests for which there's no support in Linux. So with this series applied the audit related tests should all work.

You can check out the test suite but you may need to move along with my Linux patch branches as I update the test suite. The problem is of course that design changes in Linux patches affect the test suite. So this may cause hiccups. And I have been using forced-updates to solve this issue... The tests have been working on Fedora 34 x86 and ppc64. The unshare tool on Ubuntu 20.04 seems to be too old to run certain tests correctly.

Cheers!

Stefan

Next message: Yang Shi: "Re: [v2 PATCH] fs/proc: task_mmu.c: don't read mapcount for migration entry"
Previous message: Manfred Spraul: "Re: [PATCH] To fix the below failure of handling page fault caused by the invalid input from user."
In reply to: Stefan Berger: "Re: [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]