Re: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

[Stefan Berger <stefanb@linux.ibm.com>]

On 12/11/21 10:02, Serge E. Hallyn wrote:
> IMO yes it is unsafe, however I concede that I am not sufficiently familiar
> with the policy language.  At least Stefan and Mimi (IIUC) want the host
> policy language to be able to specify cases where an IMA ns can be
> configured.  What's not clear to me is what sorts of triggers the host
> IMA policy could specify that would safely identify a IMA ns generation
> trigger.
>
> Stefan, would you mind showing what such a policy statement would look like?
> Does it amount to "/usr/bin/runc may create an IMA ns which escapes current
> policy" ?  Or is it by UID, or any file which has a certain xattr on it?

If this policy here is active on the host then file executions 
(BPRM_CHECK) of uid=0 should be measured and audited on the host in any 
IMA namespace that uid=0 may create. We achieve this with hierarchical 
processing (v6: 10/17).

measure func=BPRM_CHECK mask=MAY_EXEC uid=0

audit func=BPRM_CHECK mask=MAY_EXEC uid=0

    Stefan


>
> -serge
>
> On Thu, Dec 09, 2021 at 08:09:20AM +0000, Denis Semakin wrote:
>> Following that thoughts...
>> Will it be so incorrectly to unbound IMA-ns from USER-ns?
>> I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
>> How userland supposed to use current IMA-ns implementation?
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Denis Semakin
>> Sent: Thursday, December 9, 2021 10:22 AM
>> To: 'Stefan Berger' <stefanb@linux.ibm.com>; linux-integrity@vger.kernel.org
>> Cc: zohar@linux.ibm.com; serge@hallyn.com; christian.brauner@ubuntu.com; containers@lists.linux.dev; dmitry.kasatkin@gmail.com; ebiederm@xmission.com; Krzysztof Struczynski <krzysztof.struczynski@huawei.com>; Roberto Sassu <roberto.sassu@huawei.com>; mpeters@redhat.com; lhinds@redhat.com; lsturman@redhat.com; puiterwi@redhat.com; jejb@linux.ibm.com; jamjoom@us.ibm.com; linux-kernel@vger.kernel.org; paul@paul-moore.com; rgb@redhat.com; linux-security-module@vger.kernel.org; jmorris@namei.org
>> Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Hi.
>> My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces...
>> Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
>> Looks like currently IMA-ns will not be applicable for Kubernetes.
>>
>> Br,
>> Denis
>>
>> -----Original Message-----
>> From: Stefan Berger [mailto:stefanb@linux.ibm.com]
>> Sent: Thursday, December 9, 2021 1:18 AM
>> To: linux-integrity@vger.kernel.org
>> Cc: zohar@linux.ibm.com; serge@hallyn.com; christian.brauner@ubuntu.com; containers@lists.linux.dev; dmitry.kasatkin@gmail.com; ebiederm@xmission.com; Krzysztof Struczynski <krzysztof.struczynski@huawei.com>; Roberto Sassu <roberto.sassu@huawei.com>; mpeters@redhat.com; lhinds@redhat.com; lsturman@redhat.com; puiterwi@redhat.com; jejb@linux.ibm.com; jamjoom@us.ibm.com; linux-kernel@vger.kernel.org; paul@paul-moore.com; rgb@redhat.com; linux-security-module@vger.kernel.org; jmorris@namei.org; Stefan Berger <stefanb@linux.ibm.com>; Denis Semakin <denis.semakin@huawei.com>
>> Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
>>
>> Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
>>
>> Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   include/linux/capability.h      | 6 ++++++
>>   security/integrity/ima/ima_fs.c | 2 +-
>>   2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
>> --- a/include/linux/capability.h
>> +++ b/include/linux/capability.h
>> @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
>>   		ns_capable(ns, CAP_SYS_ADMIN);
>>   }
>>   
>> +static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
>> +	return ns_capable(ns, CAP_MAC_ADMIN) ||
>> +		ns_capable(ns, CAP_SYS_ADMIN);
>> +}
>> +
>>   /* audit system wants to get cap info from files as well */  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
>>   			   const struct dentry *dentry,
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)  #else
>>   		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
>>   			return -EACCES;
>> -		if (!capable(CAP_SYS_ADMIN))
>> +		if (!mac_admin_ns_capable(ns->user_ns))
>>   			return -EPERM;
>>   		return seq_open(filp, &ima_policy_seqops);  #endif
>> --
>> 2.31.1