From: Casey Schaufler <casey@schaufler-ca.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com, brauner@kernel.org,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
jpenumak@redhat.com, casey@schaufler-ca.com
Subject: Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns
Date: Fri, 16 Sep 2022 10:05:09 -0700 [thread overview]
Message-ID: <49617fa0-998d-1e6d-7d86-212139dff51b@schaufler-ca.com> (raw)
In-Reply-To: <556b21f9-56ae-7ff6-c38a-9ca856438a66@linux.ibm.com>
On 9/16/2022 3:54 AM, Stefan Berger wrote:
>
>
> On 9/15/22 20:56, Casey Schaufler wrote:
>> On 9/15/2022 12:31 PM, Stefan Berger wrote:
>>> The goal of this series of patches is to start with the namespacing of
>>> IMA and support auditing within an IMA namespace (IMA-ns) as the first
>>> step.
>>>
>>> In this series the IMA namespace is piggybacking on the user namespace
>>> and therefore an IMA namespace is created when a user namespace is
>>> created, although this is done late when SecurityFS is mounted inside
>>> a user namespace. The advantage of piggybacking on the user namespace
>>> is that the user namespace can provide the keys infrastructure that IMA
>>> appraisal support will need later on.
>>>
>>> We chose the goal of supporting auditing within an IMA namespace
>>> since it
>>> requires the least changes to IMA. Following this series, auditing
>>> within
>>> an IMA namespace can be activated by a root running the following lines
>>> that rely on a statically linked busybox to be installed on the host
>>> for
>>> execution within the minimal container environment:
>>>
>>> As root (since audit rules may now only be set by root):
>>
>> How about calling out the required capabilities? You don't need
>> to be root, you need a specific set of capabilities. It would be
>> very useful for the purposes of understanding the security value
>> of the patch set to know this.
>>
> CAP_AUDIT_WRITE?
Not everyone is going to know that. And, is it the only capability
required to make "things work"? If you call it out in the take message
people are going to have a better idea about the relationships between
IMA, audit and capabilities. That's pretty important for unprivileged
containers.
next prev parent reply other threads:[~2022-09-16 17:05 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-15 19:31 [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-09-15 19:31 ` [PATCH v14 01/26] securityfs: rework dentry creation Stefan Berger
2022-09-15 19:31 ` [PATCH v14 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-09-15 19:31 ` [PATCH v14 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-09-15 19:31 ` [PATCH v14 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-09-15 19:32 ` [PATCH v14 05/26] ima: Move ima_htable " Stefan Berger
2022-09-15 19:32 ` [PATCH v14 06/26] ima: Move measurement list related variables " Stefan Berger
2022-09-15 19:32 ` [PATCH v14 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2022-09-15 19:32 ` [PATCH v14 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-09-15 19:32 ` [PATCH v14 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-09-15 19:32 ` [PATCH v14 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-09-15 19:32 ` [PATCH v14 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-09-15 19:32 ` [PATCH v14 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-09-15 19:32 ` [PATCH v14 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-09-15 19:32 ` [PATCH v14 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-09-15 19:32 ` [PATCH v14 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-09-15 19:32 ` [PATCH v14 16/26] ima: Add functions for creating and " Stefan Berger
2022-09-15 19:32 ` [PATCH v14 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-09-15 19:32 ` [PATCH v14 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-09-15 19:32 ` [PATCH v14 19/26] ima: Namespace audit status flags Stefan Berger
2022-09-15 19:32 ` [PATCH v14 20/26] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-09-15 19:32 ` [PATCH v14 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2022-09-15 19:32 ` [PATCH v14 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2022-09-15 19:32 ` [PATCH v14 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-09-15 19:32 ` [PATCH v14 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-09-15 19:32 ` [PATCH v14 25/26] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-09-15 19:32 ` [PATCH v14 26/26] ima: Enable IMA namespaces Stefan Berger
2022-09-16 0:56 ` [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns Casey Schaufler
2022-09-16 10:54 ` Stefan Berger
2022-09-16 13:20 ` Stefan Berger
2022-09-16 17:05 ` Casey Schaufler [this message]
2022-09-20 20:08 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49617fa0-998d-1e6d-7d86-212139dff51b@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).