Re: [PATCH v9 11/23] ima: Move ima_lsm_policy_notifier into ima_namespace

[Stefan Berger]

On 1/26/22 08:05, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:33PM -0500, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> >
> > Move the ima_lsm_policy_notifier into the ima_namespace. Each IMA
> > namespace can now register its own LSM policy change notifier callback.
> > The policy change notifier for the init_ima_ns still remains in init_ima()
> > and therefore handle the registration of the callback for all other
> > namespaces in init_ima_namespace().
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > ---
> I'd double-check that this cannot be used to cause rcu stalls when a lot
> of ima namespace with a lot of rules are used leading to a dos situation
> during LSM policy update. The good thing at least is that an LSM policy
> update can only be triggered for selinux for the whole system.


I just ran a test with up to 1920 IMA-namespaces each with 2 audit rules 
with the vmtools_exec_t label. Disabling of the vmtools SELinux module 
caused the rules to disappear in all IMA namespaces, as expected. 
However, it also added many kernel log lines 'ima: rule for LSM 
'vmtools_exec_t' is undefined' to the kernel log that should probably be 
suppressed for ns != &init_ima_ns. Nothing bad happened otherwise. Also 
re-enabling the vmtools module didn't cause any kernel errors.  So I 
think we should be fine.

https://github.com/stefanberger/ima-namespaces-tests/tree/master/audit-many-2