Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp876264imm; Fri, 11 May 2018 07:43:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo9w9Em07dAlQK75nmIG9bHItLah46yYezikv4SE7fk48c4d+MW9Mru/pEXhaGxf7sAWEiK X-Received: by 2002:a62:62c2:: with SMTP id w185-v6mr5817455pfb.78.1526049803441; Fri, 11 May 2018 07:43:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526049803; cv=none; d=google.com; s=arc-20160816; b=SeZtPVTRq7qlwfpE2fUeDIs4n9BnCa4EyMjFnGBkpBUG8mn8kiXU5smsULulVWU/fU uyM1cuOoZ/phtOzLkii+lNTM9p/rX4l/leNfI249wuUNnznSQdDb3BWo0mJsRVglxyot cEQykt4q8DJ701lbUjxwdWtEKGeMbuhU0VaxNlPqXaHx30a88qUg2D1+AdKmqNmj5+bN oW4Ei3Ee6B3uOyFttr63FEw8HYnZcCvBBTfn3nM37l+r0Py/pb44t7icsjteXAp0L02Q qAwmqr67dSr0Anw0k4a2ifVBuh4234fkHSs9YZtdc9m5Lef1LHyElM9Alt2Q339pv+GA SZ0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=1Ejnylvz5HNiOyfMgr9Xrw2/SB8a3seRlNC1SKtM8DU=; b=o5Kukk+yaT5e+DI1KDJv7aR1UUWctaUfMW98xvskt5Lqzr6BIOsHf29ZPKIOiV3M8F sIJIF7Lve0xlVlvVIzQLRwuxXSPzgaQHvKWZRfBLNbwINyX29rYKIN2B9XTDD8ZeM41E gHmqt3oSQgUNb2RZwY9WI6kMgeEExC2qZocZxdTvJaTqgithBv8BoOI0y0V0i8lbKkJO GIKQyTIhUwpF4QXqw+lElptEcQW0vYq/xXZ2GPIxXpXX1WhtQ7b9Vy8dowPmHom5FH/o 0CHeJmdUMqqv1JII4r0w80Qb67iOGUnQccXJV8p/vwh2fx+8iBae72No0nPXZN6tuXRG IB0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t24-v6si3346860pfj.231.2018.05.11.07.43.09; Fri, 11 May 2018 07:43:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753298AbeEKOmr (ORCPT + 99 others); Fri, 11 May 2018 10:42:47 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:46558 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753157AbeEKOmm (ORCPT ); Fri, 11 May 2018 10:42:42 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4BEe8Me016176 for ; Fri, 11 May 2018 10:42:41 -0400 Received: from e37.co.us.ibm.com (e37.co.us.ibm.com [32.97.110.158]) by mx0a-001b2d01.pphosted.com with ESMTP id 2hwbv5c6am-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 11 May 2018 10:42:41 -0400 Received: from localhost by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 11 May 2018 08:42:39 -0600 Received: from b03cxnp07028.gho.boulder.ibm.com (9.17.130.15) by e37.co.us.ibm.com (192.168.1.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 11 May 2018 08:42:35 -0600 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4BEgY4n13435164; Fri, 11 May 2018 07:42:34 -0700 Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8B53E7804D; Fri, 11 May 2018 08:42:34 -0600 (MDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP id BA0E778037; Fri, 11 May 2018 08:42:33 -0600 (MDT) From: Stefan Berger To: linux-integrity@vger.kernel.org, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Cc: serge@hallyn.com, sunyuqiong1988@gmail.com, david.safford@ge.com, mkayaalp@cs.binghamton.edu, James.Bottomley@HansenPartnership.com, zohar@linux.vnet.ibm.com, ebiederm@xmission.com, john.johansen@canonical.com, Stefan Berger Subject: [RFC PATCH v4 0/5] ima: Namespacing IMA Date: Fri, 11 May 2018 10:42:25 -0400 X-Mailer: git-send-email 2.14.3 X-TM-AS-GCONF: 00 x-cbid: 18051114-0024-0000-0000-00001863801F X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009006; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000260; SDB=6.01030766; UDB=6.00526815; IPR=6.00809898; MB=3.00021049; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-11 14:42:38 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051114-0025-0000-0000-00004FED16AD Message-Id: <20180511144230.75384-1-stefanb@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-11_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805110139 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch set implements an IMA namespace data structure that gets created by first writing a '1' into IMA's securityfs unshare file at /sys/kernel/security/ima/unshare and then by clone(). This patch set lays down the foundation for namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). The original PoC patches created a new CLONE_NEWIMA flag to explicitly control when a new IMA namespace should be created. The previously posted version 2 of this series had it hooked on the mount namespace, which was regarded as inappropriate. The subsequent v3 tied it to the creation of a user namespace. Based on comments, we elected to now again create an independent IMA namespace through the above mentioned securityfs file. The first patch creates the ima_namespace data, while the second patch puts the iint->flags in the namespace. The third patch introduces an audit message type for IMA policy rules. The fourth patch introduces a new IMA policy rule attribute 'ns' making rules only applicable to child IMA namespaces. The last patch uses the flags for namespacing the IMA-audit messages, enabling the same file to be audited each time it is accessed in a new namespace. Stefan Mehmet Kayaalp (2): ima: Add ns_status for storing namespaced iint data ima: namespace audit status flags Mimi Zohar (1): ima: differentiate auditing policy rules from "audit" actions Stefan Berger (1): ima: extend IMA audit policy rules with attribute to audit namespaces Yuqiong Sun (1): ima: Add IMA namespace support fs/proc/namespaces.c | 3 + include/linux/ima.h | 53 +++++++++ include/linux/nsproxy.h | 2 + include/linux/proc_ns.h | 1 + include/linux/sched.h | 6 + include/linux/user_namespace.h | 1 + include/uapi/linux/audit.h | 3 +- init/Kconfig | 11 ++ kernel/fork.c | 5 + kernel/nsproxy.c | 25 ++++- kernel/ucount.c | 1 + security/integrity/ima/Makefile | 3 +- security/integrity/ima/ima.h | 82 +++++++++++++- security/integrity/ima/ima_api.c | 14 ++- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_fs.c | 55 ++++++++++ security/integrity/ima/ima_init.c | 4 + security/integrity/ima/ima_init_ima_ns.c | 51 +++++++++ security/integrity/ima/ima_main.c | 18 ++- security/integrity/ima/ima_ns.c | 183 +++++++++++++++++++++++++++++++ security/integrity/ima/ima_ns_status.c | 133 ++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 77 ++++++++++++- 22 files changed, 712 insertions(+), 21 deletions(-) create mode 100644 security/integrity/ima/ima_init_ima_ns.c create mode 100644 security/integrity/ima/ima_ns.c create mode 100644 security/integrity/ima/ima_ns_status.c -- 2.14.3