Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752054AbdGaLcN (ORCPT ); Mon, 31 Jul 2017 07:32:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:49855 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750933AbdGaLcL (ORCPT ); Mon, 31 Jul 2017 07:32:11 -0400 Subject: Re: [Linux-ima-devel] [RFC PATCH 1/5] ima: extend clone() with IMA namespace support From: Mimi Zohar To: "Magalhaes, Guilherme (Brazil R&D-CL)" , "Serge E. Hallyn" Cc: Mehmet Kayaalp , Yuqiong Sun , containers , linux-kernel , David Safford , James Bottomley , linux-security-module , ima-devel , Yuqiong Sun Date: Mon, 31 Jul 2017 07:31:58 -0400 In-Reply-To: References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> <20170720225033.21298-2-mkayaalp@linux.vnet.ibm.com> <20170725175317.GA727@mail.hallyn.com> <1501008554.3689.30.camel@HansenPartnership.com> <20170725190406.GA1883@mail.hallyn.com> <1501009739.3689.33.camel@HansenPartnership.com> <1501012082.27413.17.camel@linux.vnet.ibm.com> <645db815-7773-e351-5db7-89f38cd88c3d@linux.vnet.ibm.com> <20170725204622.GA4969@mail.hallyn.com> <1501016277.27413.50.camel@linux.vnet.ibm.com> <20170725210801.GA5628@mail.hallyn.com> <1501018134.27413.66.camel@linux.vnet.ibm.com> <1501166369.28419.171.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-MML: disable x-cbid: 17073111-0016-0000-0000-0000025F4318 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17073111-0017-0000-0000-000006E0AF15 Message-Id: <1501500718.9230.85.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-31_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707310198 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1115 Lines: 26 On Fri, 2017-07-28 at 14:19 +0000, Magalhaes, Guilherme (Brazil R&D- CL) wrote: > > > Each measurement entry in the list could have new fields to identify > > > the namespace. Since the namespaces can be reused, a timestamp or > > > others fields could be added to uniquely identify the namespace id. > > > > The more fields included in the measurement list, the more > > measurements will be added to the measurement list. Wouldn't it be > > enough to know that a certain file has been accessed/executed on the > > system and base any analytics/forensics on the IMA-audit data. > > With the recursive application of policy through the namespace hierarchy, > a measurement added to the parent namespace could be misleading since > the file pathname makes sense in the current namespace but possibly not > for the parent namespace. Fair enough. > This is the reason why I believe some new field > might be needed in the IMA template format to indicate or uniquely > identify the namespace. I would probably include information to uniquely identify the file (eg. UUID, mountpoint), not the namespace.   Mimi