Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966006AbdGTWxE (ORCPT ); Thu, 20 Jul 2017 18:53:04 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55612 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964882AbdGTWxC (ORCPT ); Thu, 20 Jul 2017 18:53:02 -0400 From: Mehmet Kayaalp To: ima-devel Cc: containers , linux-kernel , linux-security-module , Tycho Andersen , "Serge E . Hallyn" , Yuqiong Sun , David Safford , Mehmet Kayaalp , Stefan Berger , Mehmet Kayaalp Subject: [RFC PATCH 0/5] ima: namespacing IMA audit messages Date: Thu, 20 Jul 2017 18:50:28 -0400 X-Mailer: git-send-email 2.9.4 X-TM-AS-GCONF: 00 x-cbid: 17072022-0008-0000-0000-0000026269B9 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007395; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000214; SDB=6.00890485; UDB=6.00444904; IPR=6.00670652; BA=6.00005482; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00016303; XFM=3.00000015; UTC=2017-07-20 22:52:59 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17072022-0009-0000-0000-000036194E4D Message-Id: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-20_12:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707200353 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2576 Lines: 57 This patch set implements an IMA namespace data structure that gets created alongside a mount namespace with CLONE_NEWNS, and lays down the foundation for namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). The original PoC patches [1], created a new CLONE_NEWIMA flag to explicitly control when a new IMA namespace should be created. Based on comments, we elected to hang the IMA namepace off of existing namespaces, and the mount namespace made the most sense. However, we actually allocate a new namespace struct in nsproxy, allocate a new inum, and have an ima symlink in /proc/*/ns/, instead of adding a pointer from the mnt_namespace. As a result, clone() and unshare() with CLONE_NEWNS results in a new mount and a new IMA namespace, while setns() called with the fd of /proc/*/ns/mnt would NOT have the same result. A second setns() call with the fd /proc/*/ns/ima would be required. The first patch creates the ima_namespace data, while the second patch puts the iint->flags in the namespace. The third patch uses these flags for namespacing the IMA-audit messages, enabling the same file to be audited each time it is accessed in a new namespace. Rest of the patches are small fixes and improvements to the audit messages generated by IMA. Subsequent patch sets will namespace IMA-measurement and IMA-appraisal. [1] https://sourceforge.net/p/linux-ima/mailman/message/35939754/ Guilherme Magalhaes (1): ima: Add ns_mnt, dev, ino fields to IMA audit measurement msgs Mehmet Kayaalp (2): ima: Add ns_status for storing namespaced iint data ima: mamespace audit status flags Mimi Zohar (1): ima: differentiate auditing policy rules from "audit" actions Yuqiong Sun (1): ima: extend clone() with IMA namespace support fs/proc/namespaces.c | 3 + include/linux/ima.h | 40 +++++ include/linux/nsproxy.h | 1 + include/linux/proc_ns.h | 2 + include/uapi/linux/audit.h | 3 +- init/Kconfig | 10 ++ kernel/nsproxy.c | 15 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 49 +++++- security/integrity/ima/ima_api.c | 18 +- security/integrity/ima/ima_init.c | 4 + security/integrity/ima/ima_main.c | 15 +- security/integrity/ima/ima_ns.c | 324 ++++++++++++++++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 2 +- 14 files changed, 478 insertions(+), 9 deletions(-) create mode 100644 security/integrity/ima/ima_ns.c -- 2.9.4