Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933724AbdGKQaf (ORCPT <rfc822;w@1wt.eu>);
        Tue, 11 Jul 2017 12:30:35 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:53997 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S932526AbdGKQae (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Jul 2017 12:30:34 -0400
From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: [PATCH] ima: namespacing IMA (PoC) - experimental 
Date: Tue, 11 Jul 2017 12:33:42 -0400
Cc: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>,
        Tycho Andersen <tycho.andersen@canonical.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        John Johansen <john.johansen@canonical.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>,
        Yuqiong Sun <sunyuqiong1988@gmail.com>,
        David Safford <david.safford@ge.com>,
        Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
To: LKML <linux-kernel@vger.kernel.org>,
        LSM <linux-security-module@vger.kernel.org>,
        linux-ima-devel@lists.sourceforge.net,
        linux-ima-user@lists.sourceforge.net
X-Mailer: Apple Mail (2.3273)
X-TM-AS-GCONF: 00
x-cbid: 17071116-2213-0000-0000-000001F71690
X-IBM-SpamModules-Scores: 
X-IBM-SpamModules-Versions: BY=3.00007350; HX=3.00000241; KW=3.00000007;
 PH=3.00000004; SC=3.00000214; SDB=6.00886089; UDB=6.00442272; IPR=6.00666239;
 BA=6.00005468; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000;
 ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016180; XFM=3.00000015;
 UTC=2017-07-11 16:30:30
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17071116-2214-0000-0000-000056D64A9B
Message-Id: <D984A9E8-34DA-4A96-A134-5F87241F08E8@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-11_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0
 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000
 definitions=main-1707110265
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3255
Lines: 58

This IMA namespacing patch set was initially implemented by Yuqiong Sun, 
while at IBM Research as a summer intern working with David Safford. It 
was subsequently modified and rebased by Stefan Berger and Mehmet 
Kayaalp. The resulting patches are being made available from the 
"next-namespacing-experimental" branch on 
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git 
as a proof of concept, but will not be upstreamed.

Namespacing IMA is complex. It involves differentiating the IMA global 
information (e.g. file hashes) from the IMA namespace specific 
information (e.g. collected, measured, appraised). This information 
needs to be created, updated, and freed as namespaces come and go, and 
also freed when files are removed from the file system. In addition, 
namespacing IMA properly also requires namespacing the securityfs files 
(eg. policy, ascii/binary measurement lists), keyrings needed for 
validating file signatures, and the hash table used to prevent the same 
file from being measured multiple times within the same namespace, yet 
separately in each namespace.

This requires some form of capability/permission checking. Currently, 
only root with CAP_SYS_ADMIN permission is able to write securityfs 
files and security xattrs. In addition, the IMA security xattrs need to 
be namespace aware. (Other LSM subsystems are making similar changes.)

Like other initial subsystem namespacing, this IMA namespacing patch set 
defines a new IMA namespace that is created with a new clone flag (this 
needs to be changed). An unprivileged user can create an IMA namespace 
in a new user namespace. The IMA securityfs policy file can be read and 
set by a user with CAP_SYS_ADMIN within the user namespace, where the 
IMA namespace is created. The policy can define the namespace 
measurement and appraisal rules. Measurement is done recursively for 
each nested IMA namespace. If the file to be measured is in policy for 
multiple IMA namespaces, it is measured for each namespace. The list of 
measurements are available to the CAP_SYS_ADMIN under the owner user 
namespace. For appraisal, the non-init IMA namespaces use the "_ima" 
session keyring. If the keyring is created and populated with keys, 
these keys will be used for the appraisal rules defined in the policy of 
the IMA namespace. Attestation for the IMA namespace is not supported in 
this patchset.

For testing, we modified "runc" to create an IMA namespace and 
initialized the policy and the keyring inside the container between the 
clone() and exec() system calls. For accessing the IMA files in 
securityfs inside the container, CAP_SYS_ADMIN is required to be added 
to the list of capabilities in the config.json file. "runc" tries 
loading the policy from /etc/default/ima-policy, and keys from 
/etc/keys/ima/ inside the rootfs of the container. The runc patches are 
available at the "imans" branch on https://github.com/stefanberger/runc.

Major changes include:
* Keyring creation is moved to userspace.
* Policy file is changed back from procfs to securityfs. 
* Temporarily the IMA files are only accessible to CAP_SYS_ADMIN with 
permissions set to user, group, and other.
* Patches should now be bisect-safe.

Regards,
Mehmet