Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752042AbdG1OUV (ORCPT ); Fri, 28 Jul 2017 10:20:21 -0400 Received: from g2t1383g.austin.hpe.com ([15.233.16.89]:57420 "EHLO g2t1383g.austin.hpe.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751761AbdG1OUT (ORCPT ); Fri, 28 Jul 2017 10:20:19 -0400 From: "Magalhaes, Guilherme (Brazil R&D-CL)" To: Mimi Zohar , "Serge E. Hallyn" CC: Mehmet Kayaalp , Yuqiong Sun , containers , linux-kernel , David Safford , "James Bottomley" , linux-security-module , ima-devel , Yuqiong Sun Subject: RE: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support Thread-Topic: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support Thread-Index: AQHTAasZRnYdXqbK8Eu44qjVHwfC/qJk2nOAgAAPogCAAAQnAIAAAV6AgAAK6QCAAAaNgIAACb8AgAADPYCAAALQgIAABdUAgAKLihCAACa8gIABiu2g Date: Fri, 28 Jul 2017 14:19:59 +0000 Message-ID: References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> <20170720225033.21298-2-mkayaalp@linux.vnet.ibm.com> <20170725175317.GA727@mail.hallyn.com> <1501008554.3689.30.camel@HansenPartnership.com> <20170725190406.GA1883@mail.hallyn.com> <1501009739.3689.33.camel@HansenPartnership.com> <1501012082.27413.17.camel@linux.vnet.ibm.com> <645db815-7773-e351-5db7-89f38cd88c3d@linux.vnet.ibm.com> <20170725204622.GA4969@mail.hallyn.com> <1501016277.27413.50.camel@linux.vnet.ibm.com> <20170725210801.GA5628@mail.hallyn.com> <1501018134.27413.66.camel@linux.vnet.ibm.com> <1501166369.28419.171.camel@linux.vnet.ibm.com> In-Reply-To: <1501166369.28419.171.camel@linux.vnet.ibm.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=guilherme.magalhaes@hpe.com; x-originating-ip: [15.211.195.12] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;TU4PR84MB0304;7:/OcfxWXgxH2Tf6IASeyvJqkx7iFb2EwivQnNLER6PRLsToVWXS6XiNpgZ+1Q/hBF74tG8261XTdenqhZD+U8kTg+5nmZ4TPI2Z9foCBuJy40tEVfwRkMsYdK25E9F5tPUM+CKjNPE2vpcwWxJo/kF5vHMdqtYFYsn4Ig/Y2Wk9UDyO3oXT72bnGqdTzDR0Ovrv8jP3vzcZcmlST2AkYTq/QMmnruYbPR+rK0/UVO/mLaANZBAxoK9Rwi+3CvtJyUd/RPi9F5/yS++ttGqqWv4Fwd6G1LrBioU736g5odF2c3LfdNrpuYUEPU6aPxtyZEPkB14NqiEmYMHSZnR3KbqWk80rQ1aZWJ4k3AF5o2DQ31VDkuWB7rshOlQYO5H6VVkbcHgDct4ct7dVOoNKb6XBY07wVYX3WXqoDi0/+0vxW2WvX/m1+iPSrPCYhit3hhKx16umY35HDtT8ormkv5qCYHmAchWAFxlF6ddkjZ31XAm49/PiyHtjq0o0nQoCq91StMJKDlPnKrb0IBrV/RPDkOqjagT7VXGQ4cSK2rqgM8jLnGsaoMlLnz3C+kKStc0wnlb9jd2mWgZ7oV1hUCdZ+TmNPAkN0CXiopGTl5E29uCVw3ManJlrP3q0/SasK7fI2QpNuVkJffOju7oBaYI8ocDF0k7sy929sevkvw/4Qjlb1FVX1wun9ru0Y3Dc26RDh/wF9+pZWN+4M/4+L1n068JOSVyqUVxViSsd+6egoWgq7bQtZiyeM9mYzOxVQNBjZYoH74epiYGnJu+WGqZeex09d63s4DvTDdJj+y+NU= x-ms-office365-filtering-correlation-id: be2b6c89-692c-4b2b-3aea-08d4d5c3bad6 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:TU4PR84MB0304; x-ms-traffictypediagnostic: TU4PR84MB0304: x-exchange-antispam-report-test: UriScan:; x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(6055026)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123558100)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:TU4PR84MB0304;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:TU4PR84MB0304; x-forefront-prvs: 03827AF76E x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39860400002)(39840400002)(39450400003)(39400400002)(39410400002)(39850400002)(199003)(189002)(2950100002)(38730400002)(25786009)(6246003)(53936002)(8656003)(54906002)(39060400002)(101416001)(6116002)(102836003)(3846002)(3660700001)(7696004)(3280700002)(6506006)(2906002)(478600001)(229853002)(7736002)(305945005)(2900100001)(55016002)(77096006)(9686003)(8936002)(4326008)(81156014)(81166006)(189998001)(50986999)(68736007)(8676002)(33656002)(14454004)(86362001)(7416002)(105586002)(5660300001)(230783001)(66066001)(93886004)(74316002)(6436002)(54356999)(106356001)(76176999)(97736004)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:TU4PR84MB0304;H:TU4PR84MB0302.NAMPRD84.PROD.OUTLOOK.COM;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2017 14:19:59.4460 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: TU4PR84MB0304 X-OriginatorOrg: hpe.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id v6SEKQaF013598 Content-Length: 884 Lines: 19 > > Each measurement entry in the list could have new fields to identify > > the namespace. Since the namespaces can be reused, a timestamp or > > others fields could be added to uniquely identify the namespace id. > > The more fields included in the measurement list, the more > measurements will be added to the measurement list. Wouldn't it be > enough to know that a certain file has been accessed/executed on the > system and base any analytics/forensics on the IMA-audit data. With the recursive application of policy through the namespace hierarchy, a measurement added to the parent namespace could be misleading since the file pathname makes sense in the current namespace but possibly not for the parent namespace. This is the reason why I believe some new field might be needed in the IMA template format to indicate or uniquely identify the namespace. -- Guilherme