Re: [PATCH v8 03/19] ima: Move policy related variables into ima_namespace

[PATCH v8 00/19] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 10/19] ima: Implement hierarchical processing of file accesses · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 10/19] ima: Implement hierarchical processing of file accesses · Christian Brauner <brauner@kernel.org> · 2022-01-14
Re: [PATCH v8 10/19] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
[PATCH v8 01/19] securityfs: Extend securityfs with namespacing support · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support · Al Viro <viro@zeniv.linux.org.uk> · 2022-01-05
Re: [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support · Christian Brauner <hidden> · 2022-01-05
Re: [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-11
Re: [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support · Christian Brauner <brauner@kernel.org> · 2022-01-11
[PATCH v8 02/19] ima: Define ima_namespace structure and implement basic functions · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 06/19] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-13
Re: [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
Re: [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-18
Re: [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
[PATCH v8 11/19] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 08/19] ima: Use mac_admin_ns_capable() to check corresponding capability · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 08/19] ima: Use mac_admin_ns_capable() to check corresponding capability · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-13
[PATCH v8 19/19] ima: Enable IMA namespaces · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Christian Brauner <brauner@kernel.org> · 2022-01-14
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Christian Brauner <brauner@kernel.org> · 2022-01-14
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Christian Brauner <brauner@kernel.org> · 2022-01-19
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-19
Re: [PATCH v8 19/19] ima: Enable IMA namespaces · Christian Brauner <brauner@kernel.org> · 2022-01-19
[PATCH v8 15/19] ima: Namespace audit status flags · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 13/19] ima: Add functions for creation and freeing of an ima_namespace · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 13/19] ima: Add functions for creation and freeing of an ima_namespace · Christian Brauner <brauner@kernel.org> · 2022-01-14
[PATCH v8 03/19] ima: Move policy related variables into ima_namespace · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 03/19] ima: Move policy related variables into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-13
Re: [PATCH v8 03/19] ima: Move policy related variables into ima_namespace · Christian Brauner <brauner@kernel.org> · 2022-01-14
Re: [PATCH v8 03/19] ima: Move policy related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-19
[PATCH v8 04/19] ima: Move ima_htable into ima_namespace · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 12/19] userns: Add pointer to ima_namespace to user_namespace · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy · Christian Brauner <brauner@kernel.org> · 2022-01-14
Re: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-18
Re: [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy · Christian Brauner <brauner@kernel.org> · 2022-01-19
[PATCH v8 17/19] ima: Setup securityfs for IMA namespace · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 05/19] ima: Move measurement list related variables into ima_namespace · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 05/19] ima: Move measurement list related variables into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-01-13
Re: [PATCH v8 05/19] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-19
[PATCH v8 09/19] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now · Stefan Berger <hidden> · 2022-01-04
[PATCH v8 16/19] ima: Enable re-auditing of modified files · Stefan Berger <hidden> · 2022-01-04
Re: [PATCH v8 16/19] ima: Enable re-auditing of modified files · Stefan Berger <stefanb@linux.ibm.com> · 2022-01-05
[PATCH v8 14/19] integrity/ima: Define ns_status for storing namespaced iint data · Stefan Berger <hidden> · 2022-01-04

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-01-13 20:27:26
Also in: linux-integrity, lkml

Hi Stefan,

On Tue, 2022-01-04 at 12:04 -0500, Stefan Berger wrote:

From: Stefan Berger <stefanb@linux.ibm.com>

Move variables related to the IMA policy into the ima_namespace. This way
the IMA policy of an IMA namespace can be set and displayed using a
front-end like SecurityFS.

Implement ima_ns_from_file() to get the IMA namespace via the user
namespace of the SecurityFS superblock that a file belongs to.

To get the current ima_namespace use get_current_ns() when a function
that is related to a policy rule is called. In other cases where functions
are called due file attribute modifications, use init_ima_ns, since these
functions are related to IMA appraisal and changes to file attributes are
only relevant to the init_ima_ns until IMA namespaces also support IMA
appraisal. In ima_file_free() use init_ima_ns since in this case flags
related to file measurements may be affected, which is not supported in
IMA namespaces, yet.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Please split this patch into "ima: pass through ima namespace", or some
other name,  and "ima: Move policy related variables into
ima_namespace".  The other option is to combine the "pass through ima
namespace" with the 2nd patch, like Christian's example.

quoted hunk ↗ jump to hunk

---
 security/integrity/ima/ima.h                 |  49 ++++---
 security/integrity/ima/ima_api.c             |   8 +-
 security/integrity/ima/ima_appraise.c        |  28 ++--
 security/integrity/ima/ima_asymmetric_keys.c |   4 +-
 security/integrity/ima/ima_fs.c              |  16 ++-
 security/integrity/ima/ima_init.c            |   8 +-
 security/integrity/ima/ima_init_ima_ns.c     |   6 +
 security/integrity/ima/ima_main.c            |  83 +++++++----
 security/integrity/ima/ima_policy.c          | 142 ++++++++++---------
 security/integrity/ima/ima_queue_keys.c      |  11 +-
 10 files changed, 213 insertions(+), 142 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index c4af3275f015..0b3dc9425076 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h

@@ -20,6 +20,7 @@
 #include <linux/hash.h>
 #include <linux/tpm.h>
 #include <linux/audit.h>
+#include <linux/user_namespace.h>
 #include <crypto/hash_info.h>
 
 #include "../integrity.h"

@@ -43,9 +44,6 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8, TPM_PCR10 = 10 };
 
 #define NR_BANKS(chip) ((chip != NULL) ? chip->nr_allocated_banks : 0)
 
-/* current content of the policy */
-extern int ima_policy_flag;
-
 /* bitset of digests algorithms allowed in the setxattr hook */
 extern atomic_t ima_setxattr_allowed_hash_algorithms;

@@ -120,6 +118,14 @@ struct ima_kexec_hdr {
 };
 
 struct ima_namespace {
+	struct list_head ima_default_rules;
+	/* ns's policy rules */

Thank you for adding comments.  Why is the ima_default_rules not
considered "ns's policy rules"?   Will this come later or is it limited
to init_ima_ns?

+	struct list_head ima_policy_rules;
+	struct list_head ima_temp_rules;
+	/* Pointer to ns's current policy */
+	struct list_head __rcu *ima_rules;

Since "Pointer to ns's current policy" only refers to ima_rules, append
it to the variable definition.

+	/* current content of the policy */
+	int ima_policy_flag;

Similarly here append the comment to the variable definition.

 } __randomize_layout;
 extern struct ima_namespace init_ima_ns;

thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help