RE: [RFC PATCH 00/30] ima: Introduce IMA namespace

From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"containers@lists.linux-foundation.org" 
	<containers@lists.linux-foundation.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
	"stefanb@linux.vnet.ibm.com" <stefanb@linux.vnet.ibm.com>,
	"sunyuqiong1988@gmail.com" <sunyuqiong1988@gmail.com>,
	"mkayaalp@cs.binghamton.edu" <mkayaalp@cs.binghamton.edu>,
	"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
	"serge@hallyn.com" <serge@hallyn.com>,
	"jmorris@namei.org" <jmorris@namei.org>,
	"christian@brauner.io" <christian@brauner.io>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
	Roberto Sassu <roberto.sassu@huawei.com>,
	"ebiederm@xmission.com" <ebiederm@xmission.com>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
	"luto@amacapital.net" <luto@amacapital.net>,
	"jannh@google.com" <jannh@google.com>
Subject: RE: [RFC PATCH 00/30] ima: Introduce IMA namespace
Date: Fri, 21 Aug 2020 15:37:33 +0000	[thread overview]
Message-ID: <1b706f78375f472988702f77d607f8f7@huawei.com> (raw)
In-Reply-To: <20200818164943.va3um7toztazcfud@wittgenstein>

> From: Christian Brauner [mailto:christian.brauner@ubuntu.com]
> On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@huawei.com
> wrote:
> > From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
> >
> > IMA has not been designed to work with containers. It handles every
> > process in the same way, and it cannot distinguish if a process belongs to
> > a container or not.
> >
> > Containers use namespaces to make it appear to the processes in the
> > containers that they have their own isolated instance of the global
> > resource. For IMA as well, it is desirable to let processes in the
> 
> IMA is brought up on a regular basis with "we want to have this" for
> years and then non-one seems to really care enough.
> 
> I'm highly skeptical of the value of ~2500 lines of code even if it
> includes a bunch of namespace boilerplate. It's yet another namespace,
> and yet another security framework.
> Why does IMA need to be a separate namespace? Keyrings are tied to user
> namespaces why can't IMA be? I believe Eric has even pointed that out
> before.

The user namespace has its well defined purpose to isolate
security-related identifiers and attributes, particularly UIDs and GIDs.
I think that IMA goals are different.

A user may want to isolate e.g. UIDs but not to create a separate IML or
define the new IMA policies. On the other hand, especially in the
single-tenant environment, the user may want to have a per container IML,
but no UID/GID mapping is required. IMA policy defines subject-based
rules (uid, euid, subj_*, ...), but also object-based rules.

IMA has to be pre-configured, e.g. all actions of the process have to be
appraised/measured/audited according to the pre-defined policy, appraisal
key has to be available before the process is created, etc. If IMA is tied
to the user namespace, when is a good moment to do it?

What's the argument against adding a new namespace?

> 
> Eric, thoughts?
> 
> Christian