Received: by 10.223.185.116 with SMTP id b49csp193622wrg; Thu, 8 Mar 2018 15:32:41 -0800 (PST) X-Google-Smtp-Source: AG47ELv+Kdq/loUlm9WtFXPzswOhEReQ4SnnO7hW7UJ5IVmru1aXdBERvnebqJAnJ4Dry5zeAFIw X-Received: by 10.98.57.215 with SMTP id u84mr27441428pfj.152.1520551961562; Thu, 08 Mar 2018 15:32:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520551961; cv=none; d=google.com; s=arc-20160816; b=ZvRGc8XAvVeLE/BFYEpz6kj6HxDx/l3cSbniXrP6XTmVB3qTXzV8HqAPvzs5rG3XmZ GV1S0ftBQ2wkaa7t/4/veWEqAhoEv3D8E/7TBG1qDsQ6tVIgbF1mILAgMxU7aWKgxMoc /Kpfh6ySTQKxmMBOMhNQOs/RTieZsVHU2iI6jHUCKOlgppx4Yye6JBgR3IQMMDE/lIC7 pyAUiapgkNWmmwPRq7Igv+U7Lt8h73fJ/A8qd77ODkpexJZK8noDEzX0ZXFiucS44Jmq pBcC+AQW8/D5fC58sWazm0MAvSxQWYJVcOaCn4Hq9CPMRWO7f+hga4pZCZBLNKt1uID3 hZDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=pqPxJZx2KfIjz75xmD/kg9+TnBOGyCwC8Y7bRkiPX5Q=; b=UDCTH0M9viQuKqE1oTObHsEWFTU5FggqsvdCclPwfKZZbY6O6yVKqaxx9YfnJTToDu 7fOH6TJKlJNRvlWyFUyCd9P7JUYsAvRrKZd1JjGe4Q/m9w3Ji5cDyPX4ouYhFh5FgSGB Wg2gWBZGL1Y7nDhAZBQ9mnibUhDkflRnw5usRCqlpPNQ+r0+xN+OfvzQQg2n0vKmLd0c cjr9PbmCy3L/Qas5kZUTB0wBpwdh4cxA6rNn2lx+MLf4uYMX9ZP3pbK2/BlDwTxWrlCV T7C5PtyZVwwHJCyhB2O2jvIkSRQnkwnpJLXWmpKE9DbHeq/ziHqut+8I7eAtkusI1HeN WBrg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id az5-v6si12039139plb.617.2018.03.08.15.32.25; Thu, 08 Mar 2018 15:32:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751238AbeCHXb2 (ORCPT + 99 others); Thu, 8 Mar 2018 18:31:28 -0500 Received: from h2.hallyn.com ([78.46.35.8]:33132 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751137AbeCHXb0 (ORCPT ); Thu, 8 Mar 2018 18:31:26 -0500 Received: by mail.hallyn.com (Postfix, from userid 1001) id 90681120419; Thu, 8 Mar 2018 17:31:24 -0600 (CST) Date: Thu, 8 Mar 2018 17:31:24 -0600 From: "Serge E. Hallyn" To: Stefan Berger Cc: "Serge E. Hallyn" , Mehmet Kayaalp , ima-devel , containers , linux-kernel , linux-security-module , Tycho Andersen , Yuqiong Sun , David Safford , Mehmet Kayaalp , Mimi Zohar , James Bottomley Subject: Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support Message-ID: <20180308233124.GA12405@mail.hallyn.com> References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> <20170720225033.21298-2-mkayaalp@linux.vnet.ibm.com> <2fac8414-6957-1fce-6b40-ad4b687ca83c@linux.vnet.ibm.com> <20180308201931.GA6462@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): > On 03/08/2018 03:19 PM, Serge E. Hallyn wrote: > >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): > >>On 07/20/2017 06:50 PM, Mehmet Kayaalp wrote: > >>>From: Yuqiong Sun > >>> > >>>Add new CONFIG_IMA_NS config option. Let clone() create a new IMA > >>>namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. > >>>ima_ns is allocated and freed upon IMA namespace creation and exit. > >>>Currently, the ima_ns contains no useful IMA data but only a dummy > >>>interface. This patch creates the framework for namespacing the different > >>>aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). > >>> > >>>Signed-off-by: Yuqiong Sun > >>> > >>>Changelog: > >>>* Use CLONE_NEWNS instead of a new CLONE_NEWIMA flag > >>>* Use existing ima.h headers > >>>* Move the ima_namespace.c to security/integrity/ima/ima_ns.c > >>>* Fix typo INFO->INO > >>>* Each namespace free's itself, removed recursively free'ing > >>>until init_ima_ns from free_ima_ns() > >>With this patch we would use CLONE_NEWNS and create an IMA and mount > >>namespace at the same time. However, the code below creates two > >>inodes to handle the two namespaces separately via setns(). The > >... right. > > > >Either the ima and mounts namespaces are so closely tied that ima_ns > >should be unshared on every CLONE_NEWNS, or not. If they are, then > >every setns(CLONE_NEWNS) must also change the ima_ns. That is not the > >case here. Every clone creates a new ima_ns, but we're not forcing > >tasks to be in the ima_ns that is matched with its mntns, and > >furthermore we have another object lifecycle to worry about. > > > >It still seems to me that the only sane way to do this is to have the > >ima_ns be its own object; have it be owned by a user_ns; require > >CAP_SYS_ADMIN (or better CAP_MAC_ADMIN) to your current userns to > >clone a new one, maybe with no other tasks in userns yet, for good > >measure. And support hierarchical measuring (so parents can still > >get information about a child's actions). > > I think there is a real benefit to keeping the IMA namespace with > the mount namespace since the mount namespace carries the signatures > in the xattrs and IMA the (appraisal) policy. The user namespace has But xattrs have to do with the files and filesystem. Not with mounts. > the keys IMA needs for signature verification and if missing, the > appraisal will fail (at least that is how it could work but Mimi > tells me the pointer to the IMA keyring is cached). So there's an > incentive to keep the otherwise 'loose' namespaces 'together.' If we > were to associate the IMA namespace with the user namespace or be > stand-alone, it is easier to just setns() the mount namespace and > circumvent the IMA (appraisal) policy. Sure but you won't have privilege over the previous namespace. Now, you will over the uids you were delegated - almost seems like an ima_ns should be assoicated with a segregated uid range. > >If IMA is to be at all trustworthy for remote appraisal, then I do > > remote appraisal ? remote attestation ? right attestation > >not see how you can let a privileged insecure container completely > >bypass IMA. The key difference between allowing new ima_ns with > >mntns or only with userns is that after unsharing my user_ns, my > >privilege with respect to the parent is lost. A new mntns doesn't > >change anything about how I can corrupt the parent. > > Not quite following. After unsharing the user_ns IMA could be made > to loose access to its keys from the previous user_ns and starting > apps would fail appraisal then, unless the new user_ns IMA keyring > has the same keys again. It doesn't inherit the parent's to begin with? I guess I don't know enough about how the keyring is managed.