Received: by 10.213.65.68 with SMTP id h4csp95454imn; Thu, 15 Mar 2018 10:35:26 -0700 (PDT) X-Google-Smtp-Source: AG47ELsiQQtxp7NzNqfUaSib1C4keSGApFQ4PlAiHuqLRiWN+HR88ikJTKL4PYX8NjbXcMUx1tQZ X-Received: by 10.101.101.204 with SMTP id y12mr7438849pgv.142.1521135326581; Thu, 15 Mar 2018 10:35:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521135326; cv=none; d=google.com; s=arc-20160816; b=VBj7gfli/iwuoRmuc52MZtoM44QmIZ11fwfZyMjdBx+4a+/S1g0+2qIszK/3f470xv hqvW580S08YFn9D5GJXBMCZ3OjMHEoOzrlTRZj5blk69JGmcxc/z0j6qr2Oisn1+Gfzl XPcnuR8L2WA4we1dYZX2jtzasuHDHivQYqizKZmFiwby3iduvPoqo+OhzpkGz5o71uXb h7r6veMkXzJjzA++9aYpoXp4tkmWFf+/SuRp3atXukHJpzKQaTjnFl8E3A/WhaN6tzBQ BMsCNGI7hVNPt4pHgPcDdVLvY2S/BQr3tTDaUP0ApIV/1L3z//BBBu4yZa44UHcg/8jw FbMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=Y2Y+9L8HktwYeFCwugiBtBkrPJsiSyWoA/FhLNqXJ08=; b=Yv/96ybiuyDdskcoLC9TTD3g8pF2qRMVXNFX+YFJSDP0aFH7gKaN/2aV0dO5tWsq6z zHdiAmOv5mmfKjjf2M/J0TKGKQg22+OwDKxAMg5K42JaEr0Q62I2hgdtKKfImdmszG3S YzJKwowUbW4YhLaA8lTz4i3etPGrj9kWS5aUl5TGGoHLGDol4e//J3dex2sEFcP8ylBU nOjh6t2becuxuDR5N3ZLA8FyfnNQzg4JHtmuoBu/1abmulvlgeOm9j2K61fPGpEpY/cq XjQdsGV27RE4xZGHefchmB1ghJX3QaH/1aZpSjN3gAD+voai2hPvU6NuPUWkT/C8mFwA 48sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=nEGsfuUp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si4311815plv.375.2018.03.15.10.35.12; Thu, 15 Mar 2018 10:35:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=nEGsfuUp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752665AbeCORdT (ORCPT + 99 others); Thu, 15 Mar 2018 13:33:19 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:38988 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751624AbeCORdR (ORCPT ); Thu, 15 Mar 2018 13:33:17 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1C27C8EE139; Thu, 15 Mar 2018 10:33:17 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ezT5Le9Yv7E; Thu, 15 Mar 2018 10:33:16 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 62E498EE0C7; Thu, 15 Mar 2018 10:33:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1521135196; bh=9uDc5EIol9poIn5LT1YxQovMyhprCQOwx3WF8qPBDHI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=nEGsfuUprhuELu2jU+GyFeAE0dG+fN0IKsH3ll56cr4NKsAv4cUm8BsFBGZ5PRPxe bW1pnpps3nygj/UHywPlU6PdD59+Z4K81tWxwJqnVNJBl2ECDCEDgA0m20XCveOhfG ydopEeoxSe95rGG91V8y3q4gzZ89qoiAm3rnvIVA= Message-ID: <1521135192.5348.64.camel@HansenPartnership.com> Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support From: James Bottomley To: Stefan Berger , "Eric W. Biederman" Cc: linux-ima-devel@lists.sourceforge.net, mkayaalp@cs.binghamton.edu, Mehmet Kayaalp , sunyuqiong1988@gmail.com, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, david.safford@ge.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, Yuqiong Sun , zohar@linux.vnet.ibm.com Date: Thu, 15 Mar 2018 10:33:12 -0700 In-Reply-To: References: <20180309201421.6150-1-stefanb@linux.vnet.ibm.com> <20180309201421.6150-2-stefanb@linux.vnet.ibm.com> <87vadxfwqj.fsf@xmission.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: > On 03/15/2018 06:40 AM, Eric W. Biederman wrote: > > > > Stefan Berger writes: > > > > > > > > From: Yuqiong Sun > > > > > > Add new CONFIG_IMA_NS config option.  Let clone() create a new > > > IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in > > > nsproxy.  ima_ns is allocated and freed upon IMA namespace > > > creation and exit.  Currently, the ima_ns contains no useful IMA > > > data but only a dummy interface. This patch creates the framework > > > for namespacing the different aspects of IMA (eg. IMA-audit, IMA- > > > measurement, IMA-appraisal). > > IMA is not path based.  The only thing that belongs to a mount > > namespace are paths.  Therefore IMA is completely inappropriate to > > be joint with a mount namespace. Just to be clear: The mount namespace is not only about paths it's also about subtree properties.  However, the point still stands that IMA has a dependency on neither. > IMA measures the files described by these paths. The files also may > hold signatures (security.ima xattr) needed for IMA appraisal. The xattr is an inode property, which isn't namespaced by the mount_ns. When we had this discussion last year, we talked about possibly using the user_ns instead.  It makes sense because for IMA signatures you're going to need some type of keyring namespace and there's already one hanging off the user_ns: commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e Author: David Howells Date:   Tue Sep 24 10:35:19 2013 +0100     KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches > > I saw that Serge even recently mentioned that you need to take > > this aspect of the changes back to the drawing board.  With my > > namespace maintainer hat on I repeat that. > > Drawing board is here now (tuning on the text...): > > http://kernsec.org/wiki/index.php/IMA_Namespacing_design_consideratio > ns You mention an abuse case here which is basically a way of relaxing security policy.  Cannot we fix that by making policy hierarchical, so a child namespace must have the same or a more strict policy than the parent? > >  From a 10,000 foot view I can already tell that this is hopeless. > > So for binding IMA namspaces and CLONE_NEWNS: > > > > Nacked-by: "Eric W. Biederman" > > > > I am not nacking IMA namespacing just inappropriately tying ima > > namespaces to mount namespaces.  These should be completely > > separate entities. > > Let's say we go down the road of spawning it independently. Can we > use the unused clone flag 0x1000? Or should we come up with new  > unshare2()/clone2() syscalls to extend the clone bits to 64 bit? Or > use a sysfs/securityfs file to spawn a new IMA namespace? Make this a > generic file not an IMA specific one? If, as a result of discussions, it turns out that a separate namespace is the correct way to proceed, I'm sure we can sort out the details of how we cope with the flag paucity problem. James