Received: by 10.213.65.68 with SMTP id h4csp845786imn; Thu, 22 Mar 2018 09:49:08 -0700 (PDT) X-Google-Smtp-Source: AG47ELvDDQHjXup4zY45KItLE+iBvpQqAjM7F7VNWOuC3O/lRLI6q21glaPzRowTZLWW4V31bJLg X-Received: by 10.98.12.82 with SMTP id u79mr21178975pfi.192.1521737348079; Thu, 22 Mar 2018 09:49:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521737348; cv=none; d=google.com; s=arc-20160816; b=zgWlueBnm109dh+9EQXwL9iZPF1zTRWI0Jm91rI0mo5AG+ZidEpa1Pc+4AEHyijImK 88vWP14cGjb8Vj9cYYWphLZOPR19rMCZDwmC0oTXUW3U4qp4p8oM+QZ0NmzgVgLpePQq 6o4o9krzsNaJKLBcjU83suOiqTqzzQoJc/+HV8meYBOmZ84TZrwVWVE00Q1TuBY1ehAG Y0t39t7YcpBZgBQYc3cdR3lGfMc+FRL1FNyFjHd5bnPV73IcNKMgWbt0i0w9fBQFR08t g67C6Vfq4cx8DnTYW/KxPBsTOSmtER3vbXXsiqpKRvoM10tAibzn5vMlAwpdtBW/oE8u BcDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:from:cc:references:to :subject:arc-authentication-results; bh=rb/UxVjOFQ++XKLUB7SrQsH7NJAdxVtMW0Vo8sEv3d4=; b=g5iDhIkxxs+w1O2jtfOweZV4THwEGjs6wC/qGHZYBgxvCjEYYRX+RpySvZwqHEYnKQ bNKSZEFs/pkhXShIQBWtmeI8JAeuTgDJmI8AfbBvX9UReV+0uBMruzNxM7x3DU/KVI+o zH+6gxJkbd+/JbBkagpM26L3RjXGKLrG2HaJEUzrziCgXftu8bxWjs91LbP2Lgz4Pa9F U7i4TBJPSVQYJeh/8FQv8YMZGjDgdUILFwp1wi6y724NISodsuMPnS0OGpqBHCPjy3Pi Y9HGCQx14dfrCETyHnklxdHOOGJ4sXCWPnVyxa1t0SAJ9Yc60UlEop1KBo0dDK5s5B+T FwyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g28-v6si7510716plj.10.2018.03.22.09.48.53; Thu, 22 Mar 2018 09:49:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752109AbeCVQrY (ORCPT + 99 others); Thu, 22 Mar 2018 12:47:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40674 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751840AbeCVQrU (ORCPT ); Thu, 22 Mar 2018 12:47:20 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2MGktw7141830 for ; Thu, 22 Mar 2018 12:47:20 -0400 Received: from e14.ny.us.ibm.com (e14.ny.us.ibm.com [129.33.205.204]) by mx0b-001b2d01.pphosted.com with ESMTP id 2gvergwb5s-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 22 Mar 2018 12:47:19 -0400 Received: from localhost by e14.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 22 Mar 2018 12:47:19 -0400 Received: from b01cxnp22036.gho.pok.ibm.com (9.57.198.26) by e14.ny.us.ibm.com (146.89.104.201) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 22 Mar 2018 12:47:15 -0400 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w2MGlFMk57344242; Thu, 22 Mar 2018 16:47:15 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CA6D8AC04A; Thu, 22 Mar 2018 12:48:32 -0400 (EDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 634CBAC048; Thu, 22 Mar 2018 12:48:32 -0400 (EDT) Subject: Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support To: James Bottomley , "Eric W. Biederman" References: <20180309201421.6150-1-stefanb@linux.vnet.ibm.com> <20180309201421.6150-2-stefanb@linux.vnet.ibm.com> <87vadxfwqj.fsf@xmission.com> <1521135192.5348.64.camel@HansenPartnership.com> <2183a3b4-6270-d2e9-70ad-a7399eb1681c@linux.vnet.ibm.com> <1521139535.5348.89.camel@HansenPartnership.com> <0dc5b856-8dc6-7b5a-eeac-febd19f6498c@linux.vnet.ibm.com> <1521140467.5348.94.camel@HansenPartnership.com> Cc: mkayaalp@cs.binghamton.edu, Mehmet Kayaalp , sunyuqiong1988@gmail.com, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, david.safford@ge.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.vnet.ibm.com From: Stefan Berger Date: Thu, 22 Mar 2018 12:47:14 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <1521140467.5348.94.camel@HansenPartnership.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 18032216-0052-0000-0000-000002CDA77D X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008722; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000255; SDB=6.01006823; UDB=6.00512660; IPR=6.00786111; MB=3.00020182; MTD=3.00000008; XFM=3.00000015; UTC=2018-03-22 16:47:18 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18032216-0053-0000-0000-00005C148E95 Message-Id: <8d9220d5-2acc-2818-c351-36b369e4b50e@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-22_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803220193 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/15/2018 03:01 PM, James Bottomley wrote: > On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: >> On 03/15/2018 02:45 PM, James Bottomley wrote: > [...] >>>>> going to need some type of keyring namespace and there's >>>>> already >>>>> one hanging off the user_ns: >>>>> >>>>> commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e >>>>> Author: David Howells >>>>> Date: Tue Sep 24 10:35:19 2013 +0100 >>>>> >>>>> KEYS: Add per-user_namespace registers for persistent >>>>> per-UID >>>>> kerberos caches >>>> The benefit for IMA would be that this would then tie the keys >>>> needed for appraising to the IMA namespace's policy. >>>> However, if you have an appraise policy in your IMA namespace, >>>> which is now hooked to the user namespace, and you join that user >>>> namespace but your files don't have signatures, nothing will >>>> execute anymore. That's now a side effect of joining this user >>>> namespace unless we have a magic exception. My feeling is, >>>> people may not like that... >>> Agree, but I think the magic might be to populate the ima keyring >>> with the parent on user_ns creation. That way the user_ns owner >>> can delete the parent keys if they don't like them, but by default >>> the parent appraisal policy should just work. >> That may add keys to your keyring but doesn't get you signatures on >> your files. > But it doesn't need to. The only way we'd get a failure is if the file > is already being appraised and we lose access to the key. If the > parent policy isn't appraisal, entering the IMA NS won't cause > appraisal to be turned on unless the owner asks for it, in which case > it's caveat emptor: As it works today, if as root I add a default > appraisal policy to IMA without either a key or xattrs, I get an > unusable system. When I post a next implementation for the spawning if an IMA namespace, what shall be the criterion for accepting it? Stefan > > James > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >