* [RFC PATCH v4 0/5] ima: Namespacing IMA
@ 2018-05-11 14:42 Stefan Berger
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Berger @ 2018-05-11 14:42 UTC (permalink / raw)
To: linux-integrity-u79uwXL29TY76Z2rM5mHXA,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
linux-kernel-u79uwXL29TY76Z2rM5mHXA,
linux-security-module-u79uwXL29TY76Z2rM5mHXA
Cc: mkayaalp-4hyTIkVWTs8LubxHQvXPfYdd74u8MsAO,
sunyuqiong1988-Re5JQEeQqe8AvxtiuMwx3w, david.safford-JJi787mZWgc,
James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk,
john.johansen-Z7WLFzj8eWMS+FvcfC7Uqw,
ebiederm-aS9lmoZGLiVWk0Htik3J/w,
zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8
This patch set implements an IMA namespace data structure that gets
created by first writing a '1' into IMA's securityfs unshare file at
/sys/kernel/security/ima/unshare and then by clone(). This patch set
lays down the foundation for namespacing the different aspects of IMA
(eg. IMA-audit, IMA-measurement, IMA-appraisal).
The original PoC patches created a new CLONE_NEWIMA flag to explicitly
control when a new IMA namespace should be created. The previously posted
version 2 of this series had it hooked on the mount namespace, which was
regarded as inappropriate. The subsequent v3 tied it to the creation of a
user namespace. Based on comments, we elected to now again create an
independent IMA namespace through the above mentioned securityfs file.
The first patch creates the ima_namespace data, while the second patch
puts the iint->flags in the namespace. The third patch introduces an
audit message type for IMA policy rules. The fourth patch introduces
a new IMA policy rule attribute 'ns' making rules only applicable to child
IMA namespaces. The last patch uses the flags for namespacing the
IMA-audit messages, enabling the same file to be audited each time it
is accessed in a new namespace.
Stefan
Mehmet Kayaalp (2):
ima: Add ns_status for storing namespaced iint data
ima: namespace audit status flags
Mimi Zohar (1):
ima: differentiate auditing policy rules from "audit" actions
Stefan Berger (1):
ima: extend IMA audit policy rules with attribute to audit namespaces
Yuqiong Sun (1):
ima: Add IMA namespace support
fs/proc/namespaces.c | 3 +
include/linux/ima.h | 53 +++++++++
include/linux/nsproxy.h | 2 +
include/linux/proc_ns.h | 1 +
include/linux/sched.h | 6 +
include/linux/user_namespace.h | 1 +
include/uapi/linux/audit.h | 3 +-
init/Kconfig | 11 ++
kernel/fork.c | 5 +
kernel/nsproxy.c | 25 ++++-
kernel/ucount.c | 1 +
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 82 +++++++++++++-
security/integrity/ima/ima_api.c | 14 ++-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_fs.c | 55 ++++++++++
security/integrity/ima/ima_init.c | 4 +
security/integrity/ima/ima_init_ima_ns.c | 51 +++++++++
security/integrity/ima/ima_main.c | 18 ++-
security/integrity/ima/ima_ns.c | 183 +++++++++++++++++++++++++++++++
security/integrity/ima/ima_ns_status.c | 133 ++++++++++++++++++++++
security/integrity/ima/ima_policy.c | 77 ++++++++++++-
22 files changed, 712 insertions(+), 21 deletions(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
create mode 100644 security/integrity/ima/ima_ns.c
create mode 100644 security/integrity/ima/ima_ns_status.c
--
2.14.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [RFC PATCH v4 0/5] ima: Namespacing IMA
@ 2018-05-11 14:42 ` Stefan Berger
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Berger @ 2018-05-11 14:42 UTC (permalink / raw)
To: linux-integrity, containers, linux-kernel, linux-security-module
Cc: serge, sunyuqiong1988, david.safford, mkayaalp, James.Bottomley,
zohar, ebiederm, john.johansen, Stefan Berger
This patch set implements an IMA namespace data structure that gets
created by first writing a '1' into IMA's securityfs unshare file at
/sys/kernel/security/ima/unshare and then by clone(). This patch set
lays down the foundation for namespacing the different aspects of IMA
(eg. IMA-audit, IMA-measurement, IMA-appraisal).
The original PoC patches created a new CLONE_NEWIMA flag to explicitly
control when a new IMA namespace should be created. The previously posted
version 2 of this series had it hooked on the mount namespace, which was
regarded as inappropriate. The subsequent v3 tied it to the creation of a
user namespace. Based on comments, we elected to now again create an
independent IMA namespace through the above mentioned securityfs file.
The first patch creates the ima_namespace data, while the second patch
puts the iint->flags in the namespace. The third patch introduces an
audit message type for IMA policy rules. The fourth patch introduces
a new IMA policy rule attribute 'ns' making rules only applicable to child
IMA namespaces. The last patch uses the flags for namespacing the
IMA-audit messages, enabling the same file to be audited each time it
is accessed in a new namespace.
Stefan
Mehmet Kayaalp (2):
ima: Add ns_status for storing namespaced iint data
ima: namespace audit status flags
Mimi Zohar (1):
ima: differentiate auditing policy rules from "audit" actions
Stefan Berger (1):
ima: extend IMA audit policy rules with attribute to audit namespaces
Yuqiong Sun (1):
ima: Add IMA namespace support
fs/proc/namespaces.c | 3 +
include/linux/ima.h | 53 +++++++++
include/linux/nsproxy.h | 2 +
include/linux/proc_ns.h | 1 +
include/linux/sched.h | 6 +
include/linux/user_namespace.h | 1 +
include/uapi/linux/audit.h | 3 +-
init/Kconfig | 11 ++
kernel/fork.c | 5 +
kernel/nsproxy.c | 25 ++++-
kernel/ucount.c | 1 +
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 82 +++++++++++++-
security/integrity/ima/ima_api.c | 14 ++-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_fs.c | 55 ++++++++++
security/integrity/ima/ima_init.c | 4 +
security/integrity/ima/ima_init_ima_ns.c | 51 +++++++++
security/integrity/ima/ima_main.c | 18 ++-
security/integrity/ima/ima_ns.c | 183 +++++++++++++++++++++++++++++++
security/integrity/ima/ima_ns_status.c | 133 ++++++++++++++++++++++
security/integrity/ima/ima_policy.c | 77 ++++++++++++-
22 files changed, 712 insertions(+), 21 deletions(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
create mode 100644 security/integrity/ima/ima_ns.c
create mode 100644 security/integrity/ima/ima_ns_status.c
--
2.14.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [RFC PATCH v4 0/5] ima: Namespacing IMA
@ 2018-05-11 14:42 ` Stefan Berger
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Berger @ 2018-05-11 14:42 UTC (permalink / raw)
To: linux-security-module
This patch set implements an IMA namespace data structure that gets
created by first writing a '1' into IMA's securityfs unshare file at
/sys/kernel/security/ima/unshare and then by clone(). This patch set
lays down the foundation for namespacing the different aspects of IMA
(eg. IMA-audit, IMA-measurement, IMA-appraisal).
The original PoC patches created a new CLONE_NEWIMA flag to explicitly
control when a new IMA namespace should be created. The previously posted
version 2 of this series had it hooked on the mount namespace, which was
regarded as inappropriate. The subsequent v3 tied it to the creation of a
user namespace. Based on comments, we elected to now again create an
independent IMA namespace through the above mentioned securityfs file.
The first patch creates the ima_namespace data, while the second patch
puts the iint->flags in the namespace. The third patch introduces an
audit message type for IMA policy rules. The fourth patch introduces
a new IMA policy rule attribute 'ns' making rules only applicable to child
IMA namespaces. The last patch uses the flags for namespacing the
IMA-audit messages, enabling the same file to be audited each time it
is accessed in a new namespace.
Stefan
Mehmet Kayaalp (2):
ima: Add ns_status for storing namespaced iint data
ima: namespace audit status flags
Mimi Zohar (1):
ima: differentiate auditing policy rules from "audit" actions
Stefan Berger (1):
ima: extend IMA audit policy rules with attribute to audit namespaces
Yuqiong Sun (1):
ima: Add IMA namespace support
fs/proc/namespaces.c | 3 +
include/linux/ima.h | 53 +++++++++
include/linux/nsproxy.h | 2 +
include/linux/proc_ns.h | 1 +
include/linux/sched.h | 6 +
include/linux/user_namespace.h | 1 +
include/uapi/linux/audit.h | 3 +-
init/Kconfig | 11 ++
kernel/fork.c | 5 +
kernel/nsproxy.c | 25 ++++-
kernel/ucount.c | 1 +
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 82 +++++++++++++-
security/integrity/ima/ima_api.c | 14 ++-
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_fs.c | 55 ++++++++++
security/integrity/ima/ima_init.c | 4 +
security/integrity/ima/ima_init_ima_ns.c | 51 +++++++++
security/integrity/ima/ima_main.c | 18 ++-
security/integrity/ima/ima_ns.c | 183 +++++++++++++++++++++++++++++++
security/integrity/ima/ima_ns_status.c | 133 ++++++++++++++++++++++
security/integrity/ima/ima_policy.c | 77 ++++++++++++-
22 files changed, 712 insertions(+), 21 deletions(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
create mode 100644 security/integrity/ima/ima_ns.c
create mode 100644 security/integrity/ima/ima_ns_status.c
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-05-11 14:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-11 14:42 [RFC PATCH v4 0/5] ima: Namespacing IMA Stefan Berger
2018-05-11 14:42 Stefan Berger
2018-05-11 14:42 ` Stefan Berger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.