Received: by 10.192.165.156 with SMTP id m28csp1632014imm;
        Wed, 18 Apr 2018 12:59:56 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49iaZz+wIqoe72QAVwoUoyN9WKAl19M9KTB4Fuwx44zY1S5D8Xu9qMahphoLFfyRN7eNOyf
X-Received: by 2002:a17:902:1e2:: with SMTP id b89-v6mr3313603plb.389.1524081596846;
        Wed, 18 Apr 2018 12:59:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524081596; cv=none;
        d=google.com; s=arc-20160816;
        b=BBm03bUT7x1w2QNTHJQlemAKsVlXz2x1/B3viPNFGNtCNXS0KL4ib8tkcMVkp4CI+G
         aqPfP9V3oy5rjlU1GDyxFYNDN85is6XN+UPCxJRbAKRuakye30k6kKDxF8IfG6Sztrch
         t4hWW8UfI/Eh8kglXUqx03t9yyEv04IrtEZYaeMJB31ERDQBYt9ZasJ5MlB5Czu/Qa6Z
         wrt541sWHNncIV/9K8NgiiLT3ltiDHXAw2vaftWHPFTcoiqpn9vXj6OehfwisQWjtNBh
         Ag9FcP+5ihiQcerhj6QPc8jVoObqU06su9sX96Zskts+g1PFWOH1DnmwGfGGj6mQggox
         3ojg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=4xvnJilXP6kUPQdiopAbXCjU7appuz8wszrFLYmVfc4=;
        b=xSGtgQHnS2W898vU20zot9a5ToGWI0nTw0U5PrOv2xKHWrKvcP13iqRvrQFZnKRpsM
         NjNWdmdpaoVarGKr79ExGCQ3X+KNvlXARogyDCOuWYNV1dLsfsT7IEjduJacAdtjc+6j
         vkVdOm9WboVmYN2L3eh0RwIN4Z4yC9TMeGNbmHINJ2gOH3fAEH+hoBO/iPLqoKoyjWZ+
         Mlgdc0irFFj9V7O8kOGEuC35iRHhtNTqjY665C1cbvNJlN48p2iTK3I0Ke6bX+LpM19J
         Xo+gVlgoCXjjN72hdoNuGPdewQjMKxv5RbhK7rsvqd8GmB6tahYp4O5JYXXbFShwF9u0
         qsyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u4si1728656pfb.42.2018.04.18.12.59.43;
        Wed, 18 Apr 2018 12:59:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752754AbeDRT6E (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Wed, 18 Apr 2018 15:58:04 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60966 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1752703AbeDRT6C (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Apr 2018 15:58:02 -0400
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w3IJtrs3047798
        for <linux-kernel@vger.kernel.org>; Wed, 18 Apr 2018 15:58:02 -0400
Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2heajenk8t-1
        (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 18 Apr 2018 15:58:01 -0400
Received: from localhost
        by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Wed, 18 Apr 2018 20:57:59 +0100
Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196)
        by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Wed, 18 Apr 2018 20:57:54 +0100
Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232])
        by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w3IJvsDr58196154;
        Wed, 18 Apr 2018 19:57:54 GMT
Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 9F3B752041;
        Wed, 18 Apr 2018 19:48:41 +0100 (BST)
Received: from dhcp-9-2-55-88.watson.ibm.com (unknown [9.2.55.88])
        by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 31F4A5203F;
        Wed, 18 Apr 2018 19:48:40 +0100 (BST)
Subject: Re: [RFC PATCH v3 1/3] ima: extend clone() with IMA namespace
 support
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     John Johansen <john.johansen@canonical.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     linux-integrity@vger.kernel.org,
        containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, tycho@docker.com,
        serge@hallyn.com, sunyuqiong1988@gmail.com, david.safford@ge.com,
        mkayaalp@cs.binghamton.edu, James.Bottomley@HansenPartnership.com,
        Yuqiong Sun <suny@us.ibm.com>,
        Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Date:   Wed, 18 Apr 2018 15:57:52 -0400
In-Reply-To: <d8c30d7d-c679-9323-7a25-d3148e9b96c6@canonical.com>
References: <1522159038-14175-1-git-send-email-stefanb@linux.vnet.ibm.com>
         <1522159038-14175-2-git-send-email-stefanb@linux.vnet.ibm.com>
         <87sh8lcecn.fsf@xmission.com> <1523636702.3272.63.camel@linux.vnet.ibm.com>
         <d8c30d7d-c679-9323-7a25-d3148e9b96c6@canonical.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18041819-0012-0000-0000-000005CC5B3D
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18041819-0013-0000-0000-00001948AE90
Message-Id: <1524081472.3272.319.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-04-18_05:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1804180179
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-04-18 at 09:09 -0700, John Johansen wrote:
> On 04/13/2018 09:25 AM, Mimi Zohar wrote:
> > [Cc'ing John Johansen]
> > 
> > On Tue, 2018-03-27 at 18:01 -0500, Eric W. Biederman wrote:
> > [...]
> >> As such I expect the best way to create the ima namespace is by simply
> >> writing to securityfs/imafs.  Possibly before the user namespace is
> >> even unshared.  That would allow IMA to keep track of things from
> >> before a container is created.
> > 
> 
> I do think this is generally the right approach for LSMs when looking
> forward to LSM stacking and more LSMs.
> 
> 
> > My initial thought was to stage IMA namespacing with just IMA-audit
> > first, followed by either IMA-measurement or IMA-appraisal.  This
> > would allow us to get the basic IMA namespacing framework working and
> > defer dealing with the securityfs related namespacing of the IMA
> > policy and measurement list issues to later.
> > 
> > By tying IMA namespacing to a securityfs ima/unshare file, we would
> > need to address the securityfs issues first.
> > 
> 
> well it depends on what you want to do. It would be possible to have
> a simple file (not a jump link) within securityfs that IMA could use
> without having to deal with all the securityfs issues first. However it
> does require that securityfs (not necessarily imafs) be visible within
> the mount namespace of the task doing the setup.

Eric, would you be OK with that?

Mimi