On 04/19/2018 04:03 AM, Stefan Berger wrote:
> On 04/18/2018 05:32 PM, John Johansen wrote:
>> On 04/18/2018 01:12 PM, Eric W. Biederman wrote:
>>> Mimi Zohar <[email protected]> writes:
>>>
>>>> On Wed, 2018-04-18 at 09:09 -0700, John Johansen wrote:
>>>>> On 04/13/2018 09:25 AM, Mimi Zohar wrote:
>>>>>> [Cc'ing John Johansen]
>>>>>>
>>>>>> On Tue, 2018-03-27 at 18:01 -0500, Eric W. Biederman wrote:
>>>>>> [...]
>>>>>>> As such I expect the best way to create the ima namespace is by simply
>>>>>>> writing to securityfs/imafs.  Possibly before the user namespace is
>>>>>>> even unshared.  That would allow IMA to keep track of things from
>>>>>>> before a container is created.
>>>>> I do think this is generally the right approach for LSMs when looking
>>>>> forward to LSM stacking and more LSMs.
>>>>>
>>>>>
>>>>>> My initial thought was to stage IMA namespacing with just IMA-audit
>>>>>> first, followed by either IMA-measurement or IMA-appraisal.  This
>>>>>> would allow us to get the basic IMA namespacing framework working and
>>>>>> defer dealing with the securityfs related namespacing of the IMA
>>>>>> policy and measurement list issues to later.
>>>>>>
>>>>>> By tying IMA namespacing to a securityfs ima/unshare file, we would
>>>>>> need to address the securityfs issues first.
>>>>>>
>>>>> well it depends on what you want to do. It would be possible to have
>>>>> a simple file (not a jump link) within securityfs that IMA could use
>>>>> without having to deal with all the securityfs issues first. However it
>>>>> does require that securityfs (not necessarily imafs) be visible within
>>>>> the mount namespace of the task doing the setup.
>>>> Eric, would you be OK with that?
>>> Roughly.  My understanding is that you have to have a write to some
>>> filesystem to set the ima policy.
>>>
>>> I was expecting having to write an "create ima namespace" value
>>> to the filesystem would not be any special effort.
>>>
>>> Now it sounds like providing the "create an ima namespace" is going to
>>> be a special case, and that does not sound correct.
>>>
>> not necessarily special case, but they do need to settle on an interface
>> that will work for them, and will work with the order they want to land
>> things. I was just trying to point out that there are fs solutions that
>> can work without having deal with the full securityfs/imafs namespacing
>> solution landing first.
>>
>> While create a file directly in securityfs that lives along side the imafs
>> dir.
>> ima_create_ns
>> ima/
>> does feel like a special case. It could work
>>
>> what I was thinking of when I proposed a simple is to do it within the ima
>> dir, say
>> ima/create_ns
> 
> Having looked at SELinux and how Steve does it, I chose 'unshare' as the 
> filename and put it into the neighborhood of  existing IMA securityfs files: 
> /sys/kernel/security/ima/unshare. Write a '1' to it and you'll have an IMA 
> namespace upon the next fork()/clone().
> 
>>
>> For now its just a single file but once imafs becomes "virtualized" to a
>> namespace view, each dir that imafs jumplinks to contains a instance of the
>> file.
> 
> Right. We need to virtualize our IMA securityfs entries pretty soon 
> afterwards so that we can start setting policies in an IMA namespace. At the 
> beginning we would not be able to create nested IMA namespaces if a user 
> namespace is involved. My current patches that attempt to do this basically 
> implement it by getting out of securityfs for namespace support and hooking 
> it onto sysfs. On the host we would still use securityfs.
> 
>>
>>
>> Or they could avoid securityfs/imafs entirely and leverage a file in
>> procfs
> 
> If we want to it that way for all other subsystems that do not use a clone() 
> flag, we should maybe decide on that now...
> 

It sounds like its already decided, with ima and selinux going with an unshare 
file within their own fs.

AppArmor went a different route already, splitting namespace creation (mkdir in 
the apparmorfs policy/namespace dir) and the task entering the namespace with a 
write apparmor's equiv of setexeccon.

Reply via email to