Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp1889304ioo;
        Mon, 23 May 2022 05:42:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxxnTRtvIQBk7oK2uhi2zMJTaD8ZAW7BUcRV/D097NYMYVdg2nBhMDyIH+p8dRwDnY0q2iz
X-Received: by 2002:a17:903:3012:b0:162:1dce:988b with SMTP id o18-20020a170903301200b001621dce988bmr6515379pla.78.1653309740818;
        Mon, 23 May 2022 05:42:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653309740; cv=none;
        d=google.com; s=arc-20160816;
        b=0UrabVD+Wk6Idbyd87T6wraXpCWc9LCT4alDa/sdNIZs9MgULLqLPt9ScB3vsiOUjt
         givK3Acew+jQ26ESfX/6UXQ9NjnP94YggLLaH9bEZMGWogyhxXvwDC+2hO2metJqYv+X
         KSdrg1CPYwk2LJUg1RUU+OzFoVo11IR0wSGq/2E2u159grbZOL9J/GMZEu5zYEAL1Bb6
         k5Dcw6FDBpby88hY7PWR0bk7WBljVl+/tEVe3kR4DMfirR/zDrwsxgQU/hHAsIvC2Unb
         gbWRRUr1FUxTbSJIpAbcZL17EbjaD4HLzaWh/S+prPIlAUhDngiOV/A3KpYZQZZ2Q0iI
         MuKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=IgsPY2fwTSrAjNwYZky1xYZehX/EiVH6u7ao13ZGyV4=;
        b=gW3aiIT3DG01Gq4Cac8Bm72MwvlPrItUKs3yKLg1oMBYAYzRKldKcyoE62QyunV3fi
         cXfCvEjTeYvjie6HqZgZlK1EPy44UNPnXWv7X1nr9hGQWOrHifn9S3YPJg/trnHd27cg
         R2WlTDPGSnIy+pBsFQoCcinZepNtLHMCPihChUL+k5r2gYOaLX/YEP7uIZcgYT/UDVCh
         oQBukd81mcbVW91m5e1pBSlqOi1XFgC7YNoza+eX44Te5ulGYkZF4y7m3/XodQjXSZxF
         fU6mJDP0Lu9EmwTKNZO7Rlk6zH4gjPSk05WUy7MWcPUo1orYjk51B0WuS54WGlKCv3a3
         Jl9w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ugvrIskp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id c7-20020a655a87000000b003dba8415dfesi9560789pgt.769.2022.05.23.05.42.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 23 May 2022 05:42:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ugvrIskp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id A2F3820F70;
	Mon, 23 May 2022 05:42:18 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235626AbiEWMmL (ORCPT <rfc822;0x.yzhang@gmail.com> + 99 others);
        Mon, 23 May 2022 08:42:11 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60890 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235586AbiEWMmJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 May 2022 08:42:09 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6266011C23;
        Mon, 23 May 2022 05:42:08 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id E521E61319;
        Mon, 23 May 2022 12:42:07 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76ABEC385AA;
        Mon, 23 May 2022 12:42:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1653309727;
        bh=9lBIyTSOtY/yGLBODsoRnmVV+xqjg/4hX6o/WsAsCfc=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=ugvrIskpD7GM77Xnwf1rnAE8Dktxpjw87tjSywen6XLTPqn6muwiNFtD3bT8BI5vt
         yTDPvCx+UEjvPNIMCl1p3HEIG6SLOw/wBZjMCtzhbxjDVe9+zC0fbt1ey5ZAts9eAP
         /eDtjE/fKMPODYfXy837+S2Q+wwYLmT84alBFm23TuPm5jEISv7/kXepCnJGJtUREG
         uqRP5hORcfKLlGSN7DLbd3pi5nshsuXS9tnnESPhR+ciDaBPrn326XfgW0PJG4kWpB
         /hagaYmSM+RWhqq47CC+sfzszZ91rHfsqBoZ5YEvXemzv6qM1hbU6yQJqW/Jl3Zakd
         2zucgZznTZ3xw==
Date:   Mon, 23 May 2022 14:41:59 +0200
From:   Christian Brauner <brauner@kernel.org>
To:     Stefan Berger <stefanb@linux.ibm.com>
Cc:     "Serge E. Hallyn" <serge@hallyn.com>,
        linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
        christian.brauner@ubuntu.com, containers@lists.linux.dev,
        dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
        krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
        mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
        puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
        linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        jpenumak@redhat.com
Subject: Re: [PATCH v12 13/26] userns: Add pointer to ima_namespace to
 user_namespace
Message-ID: <20220523124159.zsbp2gonh2dum4jm@wittgenstein>
References: <20220420140633.753772-1-stefanb@linux.ibm.com>
 <20220420140633.753772-14-stefanb@linux.ibm.com>
 <20220522182426.GA24765@mail.hallyn.com>
 <20220523095932.adr2r26o2obch4r5@wittgenstein>
 <e1df20d5-a6c9-d30c-3671-46f7a8742bc0@linux.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <e1df20d5-a6c9-d30c-3671-46f7a8742bc0@linux.ibm.com>
X-Spam-Status: No, score=-3.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 23, 2022 at 07:31:29AM -0400, Stefan Berger wrote:
> 
> 
> On 5/23/22 05:59, Christian Brauner wrote:
> > On Sun, May 22, 2022 at 01:24:26PM -0500, Serge Hallyn wrote:
> > > On Wed, Apr 20, 2022 at 10:06:20AM -0400, Stefan Berger wrote:
> > > > Add a pointer to ima_namespace to the user_namespace and initialize
> > > > the init_user_ns with a pointer to init_ima_ns. We need a pointer from
> > > > the user namespace to its associated IMA namespace since IMA namespaces
> > > > are piggybacking on user namespaces.
> > > > 
> > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > Acked-by: Christian Brauner <brauner@kernel.org>
> > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > 
> > > > ---
> > > > v11:
> > > >   - Added lost A-b from Christian back
> > > >   - Added sentence to patch description explaining why we need the pointer
> > > > 
> > > > v9:
> > > >   - Deferred implementation of ima_ns_from_user_ns() to later patch
> > > > ---
> > > >   include/linux/ima.h            | 2 ++
> > > >   include/linux/user_namespace.h | 4 ++++
> > > >   kernel/user.c                  | 4 ++++
> > > >   3 files changed, 10 insertions(+)
> > > > 
> > > > diff --git a/include/linux/ima.h b/include/linux/ima.h
> > > > index 426b1744215e..fcb60a44e05f 100644
> > > > --- a/include/linux/ima.h
> > > > +++ b/include/linux/ima.h
> > > > @@ -14,6 +14,8 @@
> > > >   #include <crypto/hash_info.h>
> > > >   struct linux_binprm;
> > > > +extern struct ima_namespace init_ima_ns;
> > > > +
> > > >   #ifdef CONFIG_IMA
> > > >   extern enum hash_algo ima_get_current_hash_algo(void);
> > > >   extern int ima_bprm_check(struct linux_binprm *bprm);
> > > > diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> > > > index 33a4240e6a6f..019e8cf7b633 100644
> > > > --- a/include/linux/user_namespace.h
> > > > +++ b/include/linux/user_namespace.h
> > > > @@ -36,6 +36,7 @@ struct uid_gid_map { /* 64 bytes -- 1 cache line */
> > > >   #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
> > > >   struct ucounts;
> > > > +struct ima_namespace;
> > > >   enum ucount_type {
> > > >   	UCOUNT_USER_NAMESPACES,
> > > > @@ -99,6 +100,9 @@ struct user_namespace {
> > > >   #endif
> > > >   	struct ucounts		*ucounts;
> > > >   	long ucount_max[UCOUNT_COUNTS];
> > > > +#ifdef CONFIG_IMA_NS
> > > 
> > > It's probably worth putting a comment here saying that user_ns does not
> > > pin ima_ns.
> > > 
> > > That the only time the ima_ns will be freed is when user_ns is freed,
> > > and only time it will be changed is when user_ns is freed, or during
> > > ima_fs_ns_init() (under smp_load_acquire) during a new mount.
> > > 
> > > > +	struct ima_namespace	*ima_ns;
> > > 
> > > So, if I create a new user_ns with a new ima_ns, and in there I
> > > create a new user_ns again, it looks like ima_ns will be NULL in
> > > the new user_ns?  Should it not be set to the parent->ima_ns?
> > > (which would cause trouble for the way it's currently being
> > > freed...)
> > 
> > Would also work and wouldn't be difficult to do imho.
> 
> We previously decide to create an ima_namespace when securityfs is mounted.
> This now also applies to nested containers where an IMA namespace is first
> configured with the hash and template to use in a particular container and
> then activated. If no configuration is done it will inherit the hash and
> template from the first ancestor that has been configure when it is
> activated. So the same steps and behavior applies to *all* containers, no
> difference at any depth of nesting. Besides that, we don't want nested
> containers to share policy and logs but keep them isolated from each other,
> or do we not?
> 
> Further, how should it work if we were to apply this even to the first
> container? Should it just inherit the &init_ima_namespace and we'd have no
> isolation at all? Why would we start treating containers at deeper nesting
> levels differently?

Valid points. I understood Serge as suggesting an implementation detail
change not a design change but might misunderstand him here.

# Currently

1. create new userns -> imans set to NULL
2. mount securityfs and configure imans -> set imans to &new_ima_ns

When 2. hasn't been done then we find the relevant imans by walking
the userns hierarchy upwards finding the first parent userns that has a
non-NULL imans.

# Serge's suggestion

1. create new userns -> imans is set to parent imans
2. mount securityfs and configure imans -> replace parent with &new_ima_ns

So when 2. hasn't been done we don't need to walk the userns hierarchy
upwards. We always find the relevant imans directly. Some massaging
would be needed in process_measurement() probably but it wouldn't need
to change semantics per se.

But I think I misunderstood something in any case. So looking at an
example like ima_post_path_mknod(). You seem to not call into
ima_must_appraise() if the caller's userns doesn't have an imans
enabled. I somehow had thought that the same logic applied as in
process_measurement. But if it isn't then it might make sense to keep
the current implementation.