Re: [RFC PATCH 00/30] ima: Introduce IMA namespace

(off-list ancestor, not in this archive)
[RFC PATCH 00/30] ima: Introduce IMA namespace · <hidden> · 2020-08-18
[RFC PATCH 01/30] ima: Introduce ima namespace · <hidden> · 2020-08-18
[RFC PATCH 03/30] ima: Bind ima namespace to the file descriptor · <hidden> · 2020-08-18
[RFC PATCH 07/30] ima: Extend the APIs in the integrity subsystem · <hidden> · 2020-08-18
[RFC PATCH 08/30] ima: Add integrity inode related data to the ima namespace · <hidden> · 2020-08-18
[RFC PATCH 06/30] ima: Add ima namespace to the ima subsystem APIs · <hidden> · 2020-08-18
[RFC PATCH 09/30] ima: Enable per ima namespace policy settings · <hidden> · 2020-08-18
[RFC PATCH 05/30] ima: Add methods for parsing ima policy configuration string · <hidden> · 2020-08-18
[RFC PATCH 04/30] ima: Add ima policy related data to the ima namespace · <hidden> · 2020-08-18
[RFC PATCH 02/30] ima: Add a list of the installed ima namespaces · <hidden> · 2020-08-18
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Christian Brauner <hidden> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden> · 2020-09-04
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-09-14
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Christian Brauner <hidden> · 2020-08-18
RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden> · 2020-08-21
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2020-09-02
Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden> · 2020-09-06

From: Christian Brauner <hidden>
Date: 2020-08-18 16:49:51
Also in: linux-security-module, lkml

Possibly related (same subject, not in this thread)

2020-10-25 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden>
2020-10-19 · RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden>
2020-09-14 · RE: [RFC PATCH 00/30] ima: Introduce IMA namespace · Krzysztof Struczynski <hidden>
2020-09-09 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Dr. Greg <hidden>
2020-09-08 · Re: [RFC PATCH 00/30] ima: Introduce IMA namespace · Mimi Zohar <zohar@linux.ibm.com>

On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@huawei.com wrote:

From: Krzysztof Struczynski <redacted>

IMA has not been designed to work with containers. It handles every
process in the same way, and it cannot distinguish if a process belongs to
a container or not.

Containers use namespaces to make it appear to the processes in the
containers that they have their own isolated instance of the global
resource. For IMA as well, it is desirable to let processes in the

IMA is brought up on a regular basis with "we want to have this" for
years and then non-one seems to really care enough.

I'm highly skeptical of the value of ~2500 lines of code even if it
includes a bunch of namespace boilerplate. It's yet another namespace,
and yet another security framework.
Why does IMA need to be a separate namespace? Keyrings are tied to user
namespaces why can't IMA be? I believe Eric has even pointed that out
before.

Eric, thoughts?

Christian

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help