2022-02-02 18:51:26

by Stefan Berger

[permalink] [raw]
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns


On 2/2/22 11:04, Mimi Zohar wrote:
> On Wed, 2022-02-02 at 09:40 -0500, Stefan Berger wrote:
>> On 2/2/22 09:13, Christian Brauner wrote:
>>> On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
>>>> v10:
>>>> - Added A-b's; addressed issues from v9
>>>> - Added 2 patches to support freeing of iint after namespace deletion
>>>> - Added patch to return error code from securityfs functions
>>>> - Added patch to limit number of policy rules in IMA-ns to 1024
>>> I'm going to go take a lighter touch with this round of reviews.
>>> First, because I have February off. :)
>>> Second, because I think that someone who is more familiar with IMA and
>>> its requirements should take another look to provide input and ask more
>>> questions. Last time I spoke to Serge he did want to give this a longer
>>> look and maybe also has additional questions.
>> The one problem I am seeing is that we probably cannot support auditing
>> in IMA namespaces since every user can now create an IMA namespace.
>> Unless auditing was namespaced, the way it is now gives too much control
>> to the user to flood the host audit log.
> Stefan, we need to differentiate between the different types of audit
> records being produced by IMA. Some of these are informational, like
> the policy rules being loaded or "Time of Measure, Time of Use"
> (ToMToU) records. When we discuss IMA-audit we're referring to the
> file hashes being added in the audit log. These are the result of the
> IMA "audit" policy rules.
>
> How much of these informational messages should be audited in IMA
> namespaces still needs to be discussed. For now, feel free to limit
> the audit messages to just the file hashes.
I doubt we should let a user produce informational audit messages or
audit messages related to file hashes... it's unfortunate, but it opens
a door for abuse.

> thanks,
>
> Mimi
>


2022-02-03 02:26:29

by Stefan Berger

[permalink] [raw]
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns


On 2/2/22 13:18, Stefan Berger wrote:
>
> On 2/2/22 11:04, Mimi Zohar wrote:
>> Stefan, we need to differentiate between the different types of audit
>> records being produced by IMA.  Some of these are informational, like
>> the policy rules being loaded or "Time of Measure, Time of Use"
>> (ToMToU) records.  When we discuss IMA-audit we're referring to the
>> file hashes being added in the audit log.  These are the result of the
>> IMA "audit" policy rules.
>>
>> How much of these informational messages should be audited in IMA
>> namespaces still needs to be discussed.  For now, feel free to limit
>> the audit messages to just the file hashes.
> I doubt we should let a user produce informational audit messages or
> audit messages related to file hashes... it's unfortunate, but it
> opens a door for abuse.

After some offline discussion with Mimi, the solution may be to gate
setting IMA audit policy rules with CAP_SYS_ADMIN.

   Stefan