Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp450757pxm; Wed, 23 Feb 2022 04:08:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJyRfWzaSConOvnowoDwQXV6AfVEfTidYAqmWydOttQRH44uQVOVncn1iSjjvDGdFa1qzPup X-Received: by 2002:a17:902:dac3:b0:14f:e959:c272 with SMTP id q3-20020a170902dac300b0014fe959c272mr5594252plx.76.1645618097257; Wed, 23 Feb 2022 04:08:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645618097; cv=none; d=google.com; s=arc-20160816; b=SBSkN/oXsbrvVsksqK/ijArR2iJjboxnpw0PEoXt3bgZvsJCObHqta3xbkU7uis+hL KS/RZKSLty08bR7is4sHPx7v1tLAMfGWO0NGLgS3kEd0y8AgXyNu0DqVB0aam+QF4Ey5 Ke6RByL2gsT5mtHTTpMfzKEuZwdfzUdEHPLQE+ycOh7r2POmpULkCnMJ9o/2y0gtKTYA eA9oHCLPDc/rVwl2FyYdNlsBlxm4DMiS+NglvKYWpyRXjiPDsndhqimxKDFBWQreGPiT VNDHrL2Hmq8+XY6tcVRfvjQEmux9gSRO7Cav9byDdwEBx6oqBZSR88lupEfxF5oVv94X /QkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=mflh59XXUGLuQUJiyd5xbLSaDlOcJaruC9siPCIGWjE=; b=LtWH/hqLxcA8hmQgzJgx5QqtnWiB3Ni/tZxqd5d2oP5q49Ut136jp5pda42D+Ap3iL z+xYrL5gFV9WbJwBgWZKHD7eFG9KGLM9z7IrVFEQQ2mcLbjEjj1mi2rf3JYvjAJ2Tqy9 Ii3WbsH+Rb4MrCiHs1sz6njGEmKWi2pSfRKkHDOB/48MJ5Y7l55AfjiTQ1oeCnQ9UCs/ g7Zcn+XG7C1r388fVwV2P6dxIYOc3rGvwiWfHJM3aUye/YfeAe2cFcKP7ofnCUSh+2Vo I2x55J4HeDGEx6+hktPdmHdb8jy77yp3jXcI5M2BqRmWKREev2FTSXHJvfluVIaYxExQ XnsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Inloe1Om; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bm1si25667812pgb.705.2022.02.23.04.08.01; Wed, 23 Feb 2022 04:08:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Inloe1Om; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234765AbiBWLqn (ORCPT + 99 others); Wed, 23 Feb 2022 06:46:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229492AbiBWLqk (ORCPT ); Wed, 23 Feb 2022 06:46:40 -0500 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B37298F67; Wed, 23 Feb 2022 03:46:13 -0800 (PST) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21NAgfXi002921; Wed, 23 Feb 2022 11:45:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=mflh59XXUGLuQUJiyd5xbLSaDlOcJaruC9siPCIGWjE=; b=Inloe1OmkL9iUmLnKQSuRR1ou//thR9oMz1wvUh74UoLnTjZ6OCakXJlvCm7USBcMKXH 5jpt9RNrRW1VRsqY42FhwnE49orK5iovmo/Yl82F2DIkZZl/68lxhNkNLvLhNTKLdU7G Yb7wGtkZJchucSrvi1k/ami/9VGod5R35Cd1mL3Iv7XhC2Ge4gcxv7E+Ko9uolyqa8id dFxo45uATJwjkTDWVhFvJTGc1bvLBR90CJrs9ZozgRkOACwQU1/2Kjk19A69navEejTU 8XNs3X3GDilUEgzEWk5ZiL2Z0PJfwrhC+EOwc3Y8wR4yNDcJLh92u4I1IYbZz2g5DUPR 6Q== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3edkdqs4rx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Feb 2022 11:45:53 +0000 Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 21NBf7WL026979; Wed, 23 Feb 2022 11:45:52 GMT Received: from ppma05fra.de.ibm.com (6c.4a.5195.ip4.static.sl-reverse.com [149.81.74.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 3edkdqs4rb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Feb 2022 11:45:52 +0000 Received: from pps.filterd (ppma05fra.de.ibm.com [127.0.0.1]) by ppma05fra.de.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 21NBbpnX000317; Wed, 23 Feb 2022 11:45:50 GMT Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198]) by ppma05fra.de.ibm.com with ESMTP id 3ear69fxpw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 23 Feb 2022 11:45:50 +0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 21NBjk5o50790904 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 23 Feb 2022 11:45:46 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CCD864204C; Wed, 23 Feb 2022 11:45:46 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7328B42049; Wed, 23 Feb 2022 11:45:44 +0000 (GMT) Received: from sig-9-65-80-154.ibm.com (unknown [9.65.80.154]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 23 Feb 2022 11:45:44 +0000 (GMT) Message-ID: Subject: Re: [PATCH v10 23/27] ima: Setup securityfs for IMA namespace From: Mimi Zohar To: Stefan Berger , linux-integrity@vger.kernel.org Cc: serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, James Bottomley , Christian Brauner Date: Wed, 23 Feb 2022 06:45:43 -0500 In-Reply-To: <20220201203735.164593-24-stefanb@linux.ibm.com> References: <20220201203735.164593-1-stefanb@linux.ibm.com> <20220201203735.164593-24-stefanb@linux.ibm.com> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: _I-iTB139F16lISvYRV-S9UF49_RYgqP X-Proofpoint-GUID: 1_gzps_LXdPzqss6EOQborTJl4X_nsVu X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-02-23_03,2022-02-23_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 spamscore=0 adultscore=0 lowpriorityscore=0 phishscore=0 malwarescore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202230064 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote: > Setup securityfs with symlinks, directories, and files for IMA > namespacing support. The same directory structure that IMA uses on the > host is also created for the namespacing case. > > The securityfs file and directory ownerships cannot be set when the > IMA namespace is initialized. Therefore, delay the setup of the file > system to a later point when securityfs is in securityfs_fill_super. > > Introduce a variable ima_policy_removed in ima_namespace that is used to > remember whether the policy file has previously been removed and thus > should not be created again in case of unmounting and again mounting > securityfs inside an IMA namespace. When the ability of extending the custom IMA policy was added, support for displaying the policy was added. (Refer to the IMA_READ_POLICY Kconfig.) This patch set adds support for a user, true root in the namespace, to be able to write a custom policy. If the IMA_READ_POLICY is not enabled, then nobody, including host root, will be able to view it. Instead of continuing to support not being able to read the IMA policy, updating the IMA_READ_POLICY Kconfig for the IMA_NS case to require it seems preferable. > This filesystem can now be mounted as follows: > > mount -t securityfs /sys/kernel/security/ /sys/kernel/security/ > > The following directories, symlinks, and files are available > when IMA namespacing is enabled, otherwise it will be empty: > > $ ls -l sys/kernel/security/ > total 0 > lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima > drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity > > $ ls -l sys/kernel/security/ima/ > total 0 > -r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements > -r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements > -rw-------. 1 root root 0 Dec 2 00:18 policy > -r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count > -r--r-----. 1 root root 0 Dec 2 00:18 violations > > Signed-off-by: Stefan Berger > Signed-off-by: James Bottomley > Acked-by: Christian Brauner Otherwise, Reviewed-by: Mimi Zohar