From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Subject: Re: [PATCH v6 03/17] ima: Namespace audit status flags
Date: Wed, 15 Dec 2021 16:15:55 -0500 [thread overview]
Message-ID: <925ed27a6375dffcb92e9812e36b1c461ae63aa2.camel@linux.ibm.com> (raw)
In-Reply-To: <20211210194736.1538863-4-stefanb@linux.ibm.com>
On Fri, 2021-12-10 at 14:47 -0500, Stefan Berger wrote:
> From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
>
> The iint cache stores whether the file is measured, appraised, audited
> etc. This patch moves the IMA_AUDITED flag into the per-namespace
> ns_status, enabling IMA audit mechanism to audit the same file each time
> it is accessed in a new namespace.
>
> The ns_status is not looked up if the CONFIG_IMA_NS is disabled or if
> any of the IMA_NS_STATUS_ACTIONS (currently only IMA_AUDIT) is not
> enabled.
^none of the ... are enabled.
thanks,
Mimi
>
> Read and write operations on the iint flags is replaced with function
> calls. For reading, iint_flags() returns the bitwise AND of iint->flags
> and ns_status->flags. The ns_status flags are masked with
> IMA_NS_STATUS_FLAGS (currently only IMA_AUDITED). Similarly
> set_iint_flags() only writes the masked portion to the ns_status flags,
> while the iint flags is set as before. The ns_status parameter added to
> ima_audit_measurement() is used with the above functions to query and
> set the ns_status flags.
>
next prev parent reply other threads:[~2021-12-15 21:16 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 19:47 [PATCH v6 00/17] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-10 19:47 ` [PATCH v6 01/17] ima: Add IMA namespace support Stefan Berger
2021-12-13 21:11 ` Stefan Berger
2021-12-15 19:41 ` Mimi Zohar
2021-12-15 21:10 ` Mimi Zohar
2021-12-16 2:34 ` Stefan Berger
2021-12-10 19:47 ` [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-15 21:12 ` Mimi Zohar
2021-12-16 2:37 ` Stefan Berger
2021-12-16 3:53 ` Mimi Zohar
2021-12-16 4:00 ` Stefan Berger
2021-12-10 19:47 ` [PATCH v6 03/17] ima: Namespace audit status flags Stefan Berger
2021-12-15 21:15 ` Mimi Zohar [this message]
2021-12-16 2:38 ` Stefan Berger
2021-12-16 3:54 ` Mimi Zohar
2021-12-10 19:47 ` [PATCH v6 04/17] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-12-10 19:47 ` [PATCH v6 05/17] ima: Move IMA's keys queue related " Stefan Berger
2021-12-10 19:47 ` [PATCH v6 06/17] ima: Move policy " Stefan Berger
2021-12-13 21:15 ` Stefan Berger
2021-12-10 19:47 ` [PATCH v6 07/17] ima: Move ima_htable " Stefan Berger
2021-12-10 19:47 ` [PATCH v6 08/17] ima: Move measurement list related variables " Stefan Berger
2021-12-10 19:47 ` [PATCH v6 09/17] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-10 19:47 ` [PATCH v6 10/17] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-12-10 19:47 ` [PATCH v6 11/17] securityfs: Only use simple_pin_fs/simple_release_fs for init_user_ns Stefan Berger
2021-12-10 19:47 ` [PATCH v6 12/17] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-11 10:50 ` Christian Brauner
2021-12-11 22:31 ` Stefan Berger
2021-12-10 19:47 ` [PATCH v6 13/17] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-10 19:47 ` [PATCH v6 14/17] ima: Tie opened SecurityFS files to the IMA namespace it belongs to Stefan Berger
2021-12-11 11:00 ` Christian Brauner
2021-12-11 22:33 ` Stefan Berger
2021-12-10 19:47 ` [PATCH v6 15/17] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-11 15:29 ` Serge E. Hallyn
2021-12-11 16:05 ` James Bottomley
2021-12-11 19:22 ` Serge E. Hallyn
2021-12-11 20:12 ` James Bottomley
2021-12-10 19:47 ` [PATCH v6 16/17] ima: Move dentry into ima_namespace and others onto stack Stefan Berger
2021-12-10 19:47 ` [PATCH v6 17/17] ima: Setup securityfs for IMA namespace Stefan Berger
2021-12-15 21:31 ` Mimi Zohar
2021-12-16 2:41 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=925ed27a6375dffcb92e9812e36b1c461ae63aa2.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mkayaalp@linux.vnet.ibm.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.