From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"containers@lists.linux-foundation.org"
<containers@lists.linux-foundation.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"stefanb@linux.vnet.ibm.com" <stefanb@linux.vnet.ibm.com>,
"sunyuqiong1988@gmail.com" <sunyuqiong1988@gmail.com>,
"mkayaalp@cs.binghamton.edu" <mkayaalp@cs.binghamton.edu>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"serge@hallyn.com" <serge@hallyn.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"christian@brauner.io" <christian@brauner.io>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
"luto@amacapital.net" <luto@amacapital.net>,
"jannh@google.com" <jannh@google.com>
Subject: RE: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Fri, 21 Aug 2020 15:37:33 +0000 [thread overview]
Message-ID: <1b706f78375f472988702f77d607f8f7@huawei.com> (raw)
In-Reply-To: <20200818164943.va3um7toztazcfud@wittgenstein>
> From: Christian Brauner [mailto:christian.brauner@ubuntu.com]
> On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@huawei.com
> wrote:
> > From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> >
> > IMA has not been designed to work with containers. It handles every
> > process in the same way, and it cannot distinguish if a process belongs to
> > a container or not.
> >
> > Containers use namespaces to make it appear to the processes in the
> > containers that they have their own isolated instance of the global
> > resource. For IMA as well, it is desirable to let processes in the
>
> IMA is brought up on a regular basis with "we want to have this" for
> years and then non-one seems to really care enough.
>
> I'm highly skeptical of the value of ~2500 lines of code even if it
> includes a bunch of namespace boilerplate. It's yet another namespace,
> and yet another security framework.
> Why does IMA need to be a separate namespace? Keyrings are tied to user
> namespaces why can't IMA be? I believe Eric has even pointed that out
> before.
The user namespace has its well defined purpose to isolate
security-related identifiers and attributes, particularly UIDs and GIDs.
I think that IMA goals are different.
A user may want to isolate e.g. UIDs but not to create a separate IML or
define the new IMA policies. On the other hand, especially in the
single-tenant environment, the user may want to have a per container IML,
but no UID/GID mapping is required. IMA policy defines subject-based
rules (uid, euid, subj_*, ...), but also object-based rules.
IMA has to be pre-configured, e.g. all actions of the process have to be
appraised/measured/audited according to the pre-defined policy, appraisal
key has to be available before the process is created, etc. If IMA is tied
to the user namespace, when is a good moment to do it?
What's the argument against adding a new namespace?
>
> Eric, thoughts?
>
> Christian
next prev parent reply other threads:[~2020-08-21 15:37 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <N>
2020-08-18 15:20 ` [RFC PATCH 00/30] ima: Introduce IMA namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 01/30] ima: Introduce ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 02/30] ima: Add a list of the installed ima namespaces krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 03/30] ima: Bind ima namespace to the file descriptor krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 04/30] ima: Add ima policy related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 05/30] ima: Add methods for parsing ima policy configuration string krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 06/30] ima: Add ima namespace to the ima subsystem APIs krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 07/30] ima: Extend the APIs in the integrity subsystem krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 08/30] ima: Add integrity inode related data to the ima namespace krzysztof.struczynski
2020-08-18 15:20 ` [RFC PATCH 09/30] ima: Enable per ima namespace policy settings krzysztof.struczynski
2020-08-18 15:53 ` [RFC PATCH 00/30] ima: Introduce IMA namespace Christian Brauner
2020-08-21 15:18 ` Krzysztof Struczynski
2020-08-18 16:19 ` James Bottomley
2020-08-21 15:13 ` Krzysztof Struczynski
2020-09-02 18:53 ` Mimi Zohar
2020-09-04 14:06 ` Dr. Greg
2020-09-14 12:05 ` Krzysztof Struczynski
2020-08-18 16:49 ` Christian Brauner
2020-08-21 15:37 ` Krzysztof Struczynski [this message]
2020-09-02 19:54 ` Mimi Zohar
2020-09-06 17:14 ` Dr. Greg
[not found] ` <CAKrSGQR3Pw=Rad2RgUuCHqr0r2Nc6x2nLoo2cVAkD+_8Vbmd7A@mail.gmail.com>
2020-09-08 14:03 ` Mimi Zohar
2020-09-14 12:07 ` Krzysztof Struczynski
2020-10-19 9:30 ` Krzysztof Struczynski
2020-10-25 15:00 ` Dr. Greg
2020-09-09 10:11 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b706f78375f472988702f77d607f8f7@huawei.com \
--to=krzysztof.struczynski@huawei.com \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mkayaalp@cs.binghamton.edu \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=sunyuqiong1988@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).