Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
wrote on 01/27/2016 05:25:34 PM:

> 
> On Wed, Jan 27, 2016 at 04:58:51PM -0500, Stefan Berger wrote:
> 
> >    > I don't think there is a generic kernel side
point where it could tell
> >    > the child is isolated enough. Whatever that
means.
> 
> >    I agree. Which set of namespaces is enough for running
any program in
> >    this set of namespaces (aka container) and being
able to forget
> >    about
> 
> It isn't just the presense of namespaces that matter, eg a net mount
> namespace does not mean access is denied to the parent namespace,
net
> namespaces don't mean devices are isolated, etc.
> 
> This is not a good direction to go, access to an IMA namespace needs
to
> be very strongly controlled, 'enough namespaces' is not a sufficient
> criteria!
Isolation should be a criteria and isolation becomes
better with more namespaces enabled. That way one can run any program inside
the set of namespaces and not harm the host or any other namespaces / containers.

> 
> Any flaw in the access criteria immediately destroys the security
of
> IMA in non-container contexts, so this needs to be done very
> carefully.
> 
> >    > Doesn't selinux have the exact same problem?
How does selinux handle
> >    > namespaces?
> 
> >    They solve it by mounting with a context option,
which enforces an
> >    sVirt SELinux label across all files that the container
user then
> >    cannot change.
> 
> This sounds very sane.
> 
> >    > That said, maybe looking at selinux namespaces
interaction will give a
> >    > different idea..
> 
> >    See above. We cannot use the same trick.
> 
> Hmm, well, it certainly seems to be a lot of what is required, 
> and like a much better direction than trying to use namespaces.
I don't agree. We want to allow users to run the own
IMA appraisal policy. For that files need to be signed and the user's key
passed to the IMA namespace. To enable that we need per-file file signatures,
not some single label that works across all files in a filesystem. IMA's
appraisal mode just doesn't work this way.

> 
> Arranging for an IMA namespace to only exists in association with
a
> SELinux label - and then rely on SELinux to provide the necessary
> security isolation instead of trying to do the same thing with
> namespaces sounds more likely to succeed..
I am not sure whether SELinux labeling alone provides
enough isolation. And it's likely not just the label that's important but
all the rules that go with it to determine what a process can do and what
not. How do you even evaluate that from inside the kernel that it's worthy
an IMA namespace? 
   Stefan

> 
> Jason
> 