Re: [RFC PATCH 00/30] ima: Introduce IMA namespace

(off-list ancestor, not in this archive)
[RFC PATCH 00/30] ima: Introduce IMA namespace · <hidden> · 2020-08-18
[RFC PATCH 01/30] ima: Introduce ima namespace · <hidden> · 2020-08-18
[RFC PATCH 03/30] ima: Bind ima namespace to the file descriptor · <hidden> · 2020-08-18
[RFC PATCH 07/30] ima: Extend the APIs in the integrity subsystem · <hidden> · 2020-08-18
[RFC PATCH 08/30] ima: Add integrity inode related data to the ima namespace · <hidden> · 2020-08-18
[RFC PATCH 06/30] ima: Add ima namespace to the ima subsystem APIs · <hidden> · 2020-08-18
[RFC PATCH 09/30] ima: Enable per ima namespace policy settings · <hidden> · 2020-08-18
[RFC PATCH 05/30] ima: Add methods for parsing ima policy configuration string · <hidden> · 2020-08-18
[RFC PATCH 04/30] ima: Add ima policy related data to the ima namespace · <hidden> · 2020-08-18
[RFC PATCH 02/30] ima: Add a list of the installed ima namespaces · <hidden> · 2020-08-18
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Christian Brauner <hidden> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden> · 2020-09-04
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-09-14
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Christian Brauner <hidden> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden> · 2020-09-06

From: James Bottomley <James.Bottomley@HansenPartnership.com>
Date: 2020-08-18 16:20:05
Also in: linux-security-module, lkml

Possibly related (same subject, not in this thread)

2020-10-25 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden>
2020-10-19 · RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden>
2020-09-14 · RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden>
2020-09-09 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden>
2020-09-08 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com>

On Tue, 2020-08-18 at 17:20 +0200, krzysztof.struczynski@huawei.com
wrote:

The measurement list remains global, with the assumption that there
is only one TPM in the system. Each IMA namespace has a unique ID,
that allows to track measurements per IMA namespace. Processes in one
namespace, have access only to the measurements from that namespace.
The exception is made for the initial IMA namespace, whose processes
have access to all entries.

So I think this can work in the use case where the system owner is
responsible for doing the logging and attestation and the tenants just
trust the owner without requiring an attestation.  However, in a multi-
tenant system you need a way for the attestation to be per-container
(because the combined list of who executed what would be a security
leak between tenants).  Since we can't virtualise the PCRs without
introducing a vtpm this is going to require a vtpm infrastructure like
that used for virtual machines and then we can do IMA logging per
container.

I don't think the above has to be in your first patch set, we just have
to have an idea of how it could be done to show that nothing in this
patch set precludes a follow on from doing this.

James

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help