linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Magalhaes, Guilherme (Brazil R&D-CL)" <guilherme.magalhaes@hpe.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: Mehmet Kayaalp <mkayaalp@cs.binghamton.edu>,
	Yuqiong Sun <sunyuqiong1988@gmail.com>,
	containers <containers@lists.linux-foundation.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	David Safford <david.safford@ge.com>,
	"James Bottomley" <James.Bottomley@HansenPartnership.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	ima-devel <linux-ima-devel@lists.sourceforge.net>,
	Yuqiong Sun <suny@us.ibm.com>
Subject: RE: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support
Date: Fri, 28 Jul 2017 14:19:59 +0000	[thread overview]
Message-ID: <TU4PR84MB03025BC4B8DEC44A0D63A298FFBF0@TU4PR84MB0302.NAMPRD84.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <1501166369.28419.171.camel@linux.vnet.ibm.com>

> > Each measurement entry in the list could have new fields to identify
> > the namespace. Since the namespaces can be reused, a timestamp or
> > others fields could be added to uniquely identify the namespace id.
> 
> The more fields included in the measurement list, the more
> measurements will be added to the measurement list.  Wouldn't it be
> enough to know that a certain file has been accessed/executed on the
> system and base any analytics/forensics on the IMA-audit data.

With the recursive application of policy through the namespace hierarchy,
a measurement added to the parent namespace could be misleading since 
the file pathname makes sense in the current namespace but possibly not
for the parent namespace. This is the reason why I believe some new field
might be needed in the IMA template format to indicate or uniquely 
identify the namespace.

--
Guilherme

  parent reply	other threads:[~2017-07-28 14:20 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-20 22:50 [RFC PATCH 0/5] ima: namespacing IMA audit messages Mehmet Kayaalp
2017-07-20 22:50 ` [RFC PATCH 1/5] ima: extend clone() with IMA namespace support Mehmet Kayaalp
2017-07-25 17:53   ` Serge E. Hallyn
2017-07-25 18:49     ` James Bottomley
2017-07-25 19:04       ` Serge E. Hallyn
2017-07-25 19:08         ` James Bottomley
2017-07-25 19:48           ` Mimi Zohar
2017-07-25 20:11             ` Stefan Berger
2017-07-25 20:46               ` Serge E. Hallyn
2017-07-25 20:57                 ` Mimi Zohar
2017-07-25 21:08                   ` Serge E. Hallyn
2017-07-25 21:28                     ` Mimi Zohar
2017-07-27 12:51                       ` [Linux-ima-devel] " Magalhaes, Guilherme (Brazil R&D-CL)
2017-07-27 14:39                         ` Mimi Zohar
2017-07-27 17:18                           ` Magalhaes, Guilherme (Brazil R&D-CL)
2017-07-27 17:49                             ` Stefan Berger
2017-07-27 19:39                               ` Magalhaes, Guilherme (Brazil R&D-CL)
2017-07-27 20:51                                 ` Stefan Berger
2017-07-28 14:19                           ` Magalhaes, Guilherme (Brazil R&D-CL) [this message]
2017-07-31 11:31                             ` Mimi Zohar
2017-07-25 21:35                 ` Stefan Berger
2018-03-08 14:04                 ` Stefan Berger
2018-03-09  2:59                   ` Serge E. Hallyn
2018-03-09 13:52                     ` Stefan Berger
2018-03-11 22:58                       ` James Morris
2018-03-13 18:02                         ` Stefan Berger
2018-03-13 21:51                           ` James Morris
2017-07-25 20:31             ` James Bottomley
2017-07-25 20:47               ` Mimi Zohar
2018-03-08 13:39   ` Stefan Berger
2018-03-08 20:19     ` Serge E. Hallyn
     [not found]       ` <a6ef5679-6aef-21de-7cdb-48e8af83f874@linux.vnet.ibm.com>
2018-03-08 23:31         ` Serge E. Hallyn
2017-07-20 22:50 ` [RFC PATCH 2/5] ima: Add ns_status for storing namespaced iint data Mehmet Kayaalp
2017-07-25 19:43   ` Serge E. Hallyn
2017-07-25 20:15     ` Mimi Zohar
2017-07-25 20:25       ` Stefan Berger
2017-07-25 20:49       ` Serge E. Hallyn
2017-08-11 15:00   ` Stefan Berger
2017-07-20 22:50 ` [RFC PATCH 3/5] ima: mamespace audit status flags Mehmet Kayaalp
2017-08-01 17:17   ` Tycho Andersen
2017-08-01 17:25     ` Mehmet Kayaalp
2017-08-02 21:48       ` Tycho Andersen
2017-07-20 22:50 ` [RFC PATCH 4/5] ima: differentiate auditing policy rules from "audit" actions Mehmet Kayaalp
2017-07-20 22:50 ` [RFC PATCH 5/5] ima: Add ns_mnt, dev, ino fields to IMA audit measurement msgs Mehmet Kayaalp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=TU4PR84MB03025BC4B8DEC44A0D63A298FFBF0@TU4PR84MB0302.NAMPRD84.PROD.OUTLOOK.COM \
    --to=guilherme.magalhaes@hpe.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=david.safford@ge.com \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mkayaalp@cs.binghamton.edu \
    --cc=serge@hallyn.com \
    --cc=suny@us.ibm.com \
    --cc=sunyuqiong1988@gmail.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).