Received: by 10.213.65.68 with SMTP id h4csp150211imn; Thu, 15 Mar 2018 12:23:16 -0700 (PDT) X-Google-Smtp-Source: AG47ELvLvf2TluAqSPFwOV0dImEJVHrkUYfZN5QLtdOP42MOdW8VVZCmRrTFanhLMxxmOLiRxI7J X-Received: by 10.98.254.6 with SMTP id z6mr8575486pfh.155.1521141796561; Thu, 15 Mar 2018 12:23:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521141796; cv=none; d=google.com; s=arc-20160816; b=mAblX/5NZIAaq8aXw0bCyH9NLXg2Ofv1ZzN1jyQ7oY1N++7mqmrxEQD2bU3shuPkjr tlOF1yZrdUYM5bBzUyHzU/9H/XbE3hGdTWmS70+ZJKGnfYRA9PtJwlinUqMzSF0dIg+o E4FurYYy+lrG1R+4a271M6iQyubIIFhbD0MbW324DMcWAnweKOcO+W8+Mc/66LWAG6xi nRhpUof1mdHDAqMdvm6Z8ib46EwUiMIuwhlrM+bgImTjKqtBxBtBmbVhG2REOP7v6nUI VaTDxeWD36NqgSQ3cwumj+OaNPcf/szFyfz99zJh8jd3hLhxMMpnGKOyD9aP2w5xEhod S58w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=9JWuKvnYV8knu2qOewXnWQGrxU72cWk4Zo6w+es8mec=; b=pJJNqFQGfZhVsSwh09AHfNHZWF7usE6uWbq0eBVfUWsFtZVCsgbQPavciZ7cIWHiTc 0vpymiGuVcgctcpvpSrUFoUrXEVe577Q0AfOhRl1CnSOoBf44bUQsdFdyOVE+C8Xpe8m GJD4NZKEBB3O5MT7FEBC+VTbCyiVMMZ6C9vStDzhLBitzzvhLIVPDOwx8v5XvbwuLme4 wFdigX0yvAfZTM5ySFSioJLkfI8cdgLIiYiMzmlE25PFl3B9zMnXOdhJ1VRpjynEh25v 0CybwTaDzdDruJDbDx6KM7htW1xBwYNzV0Ij/tupUePCTTSxdgm5Mq2E5B3044VDtUx1 4wdA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h191si1971386pgc.716.2018.03.15.12.22.55; Thu, 15 Mar 2018 12:23:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752339AbeCOTVZ (ORCPT + 99 others); Thu, 15 Mar 2018 15:21:25 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:56264 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751546AbeCOTVX (ORCPT ); Thu, 15 Mar 2018 15:21:23 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1ewYRF-0002yd-Tx; Thu, 15 Mar 2018 13:21:21 -0600 Received: from 97-119-121-173.omah.qwest.net ([97.119.121.173] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1ewYRE-0006Ek-IV; Thu, 15 Mar 2018 13:21:21 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Stefan Berger Cc: James Bottomley , mkayaalp@cs.binghamton.edu, Mehmet Kayaalp , sunyuqiong1988@gmail.com, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, david.safford@ge.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.vnet.ibm.com References: <20180309201421.6150-1-stefanb@linux.vnet.ibm.com> <20180309201421.6150-2-stefanb@linux.vnet.ibm.com> <87vadxfwqj.fsf@xmission.com> <1521135192.5348.64.camel@HansenPartnership.com> <2183a3b4-6270-d2e9-70ad-a7399eb1681c@linux.vnet.ibm.com> <1521139535.5348.89.camel@HansenPartnership.com> <0dc5b856-8dc6-7b5a-eeac-febd19f6498c@linux.vnet.ibm.com> <1521140467.5348.94.camel@HansenPartnership.com> <056e5b9e-b4d3-1862-baea-06dda4bd0713@linux.vnet.ibm.com> Date: Thu, 15 Mar 2018 14:20:31 -0500 In-Reply-To: <056e5b9e-b4d3-1862-baea-06dda4bd0713@linux.vnet.ibm.com> (Stefan Berger's message of "Thu, 15 Mar 2018 15:15:25 -0400") Message-ID: <87sh915eo0.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1ewYRE-0006Ek-IV;;;mid=<87sh915eo0.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=97.119.121.173;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19xTLmUqqfgMVZgF99TYHFQVx9gpsRWTOg= X-SA-Exim-Connect-IP: 97.119.121.173 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa03.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, T_TooManySym_02,XMSubLong autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4612] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa03 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Stefan Berger X-Spam-Relay-Country: X-Spam-Timing: total 1008 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 6 (0.6%), b_tie_ro: 4.7 (0.5%), parse: 1.33 (0.1%), extract_message_metadata: 8 (0.7%), get_uri_detail_list: 4.4 (0.4%), tests_pri_-1000: 11 (1.1%), tests_pri_-950: 2.4 (0.2%), tests_pri_-900: 4.4 (0.4%), tests_pri_-400: 58 (5.7%), check_bayes: 54 (5.4%), b_tokenize: 19 (1.9%), b_tok_get_all: 13 (1.3%), b_comp_prob: 6 (0.6%), b_tok_touch_all: 7 (0.7%), b_finish: 0.94 (0.1%), tests_pri_0: 877 (87.0%), check_dkim_signature: 1.02 (0.1%), check_dkim_adsp: 9 (0.9%), tests_pri_500: 19 (1.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Stefan Berger writes: > On 03/15/2018 03:01 PM, James Bottomley wrote: >> On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: >>> On 03/15/2018 02:45 PM, James Bottomley wrote: >> [...] >>>>>> going to need some type of keyring namespace and there's >>>>>> already >>>>>> one hanging off the user_ns: >>>>>> >>>>>> commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e >>>>>> Author: David Howells >>>>>> Date: Tue Sep 24 10:35:19 2013 +0100 >>>>>> >>>>>> KEYS: Add per-user_namespace registers for persistent >>>>>> per-UID >>>>>> kerberos caches >>>>> The benefit for IMA would be that this would then tie the keys >>>>> needed for appraising to the IMA namespace's policy. >>>>> However, if you have an appraise policy in your IMA namespace, >>>>> which is now hooked to the user namespace, and you join that user >>>>> namespace but your files don't have signatures, nothing will >>>>> execute anymore. That's now a side effect of joining this user >>>>> namespace unless we have a magic exception. My feeling is, >>>>> people may not like that... >>>> Agree, but I think the magic might be to populate the ima keyring >>>> with the parent on user_ns creation. That way the user_ns owner >>>> can delete the parent keys if they don't like them, but by default >>>> the parent appraisal policy should just work. >>> That may add keys to your keyring but doesn't get you signatures on >>> your files. >> But it doesn't need to. The only way we'd get a failure is if the file >> is already being appraised and we lose access to the key. If the > > Well, the configuration I talked about above was assuming that we have > an appraisal policy active in the IMA namespace, which is now tied to > the user namespace that was just joined. > > If we are fine with the side effects of an IMA policy active as part > of a user namespace then let's go with it. The side effects in case of > an active IMA appraisal may then be that files cannot be > read/accessed, or file measurements or IMA auditing may occur. > > The alternative is we have an independent IMA namespace. If one joins > the USER namespace and there are no IMA-related side effects. If one > joins the IMA namespace its IMA policy should start being enforced. If > the current active USER namespace has the keys that go with the > signatures of the filesystem, then we're fine from the appraisal > perspective. If not, then IMA namespace joining may prevent file > accesses. > >> parent policy isn't appraisal, entering the IMA NS won't cause > > Why parent policy? The policy of the namespace that was joined should > be the active one, no ? Unless I am completely blind we should never stop enforcing the parent's polciy. We should only add policy to enforce for the scope of a container. In practice this is just the containers policy as the container is most likely a do whatever you want to in the parent policy. But not always and not explicitly. Mount namespaces are not hierarchical, user namespaces are. Which makes them much more appropriate for being part of nested policy enforcement. From previous conversations I remember that there is a legitimate bootstrap problem for IMA. That needs to be looked at, and I am not seeing that mentioned. Eric