[PATCH v2] xattr: Enable security.capability in user namespaces
From: Mimi Zohar <hidden>
Date: 2017-07-26 13:58:07
Also in:
lkml, oe-lkp
Possibly related (same subject, not in this thread)
- 2017-07-18 · Re: [PATCH v2] xattr: Enable security.capability in user namespaces · "Serge E. Hallyn" <serge@hallyn.com>
- 2017-07-18 · Re: [PATCH v2] xattr: Enable security.capability in user namespaces · Stefan Berger <hidden>
- 2017-07-18 · Re: [PATCH v2] xattr: Enable security.capability in user namespaces · Vivek Goyal <vgoyal@redhat.com>
- 2017-07-18 · Re: [PATCH v2] xattr: Enable security.capability in user namespaces · Eric W. Biederman <hidden>
- 2017-07-18 · Re: [PATCH v2] xattr: Enable security.capability in user namespaces · Eric W. Biederman <hidden>
On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote:
On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:quoted
On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:quoted
Which brings us to the semantic question of would it be nice to have stacked IMA/EVM on the same file. I really don't think we do. I think allowing multiple keys for different part of trusting files is easy enough that we should have no need to fight over which keys do which.We definitely want to support different policies on the native and in the namespace with different keys and keyrings.Ok, so Stefan's code to support userspace in a container reading security.ima and getting back the value for security.ima at uid=1000 (if 1000 is the kuid of the container's root user) is in fact useful to IMA?
Definitely! ?Root within the namespace needs to be able to read and write security.ima in order to (re)sign files, with a specific key known to that container. ?Stefan's code provides different views of the security xattrs. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html