Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns

[PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
[PATCH v10 03/27] ima: Return error code obtained from securityfs functions · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 03/27] ima: Return error code obtained from securityfs functions · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-10
Re: [PATCH v10 03/27] ima: Return error code obtained from securityfs functions · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-15
[PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
[PATCH v10 21/27] ima: Remove unused iints from the integrity_iint_cache · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
[PATCH v10 18/27] integrity/ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 18/27] integrity/ima: Define ns_status for storing namespaced iint data · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 18/27] integrity/ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-24
Re: [PATCH v10 18/27] integrity/ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-24
[PATCH v10 01/27] ima: Remove ima_policy file before directory · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 01/27] ima: Remove ima_policy file before directory · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-10
[PATCH v10 11/27] ima: Move ima_lsm_policy_notifier into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 11/27] ima: Move ima_lsm_policy_notifier into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
Re: [PATCH v10 11/27] ima: Move ima_lsm_policy_notifier into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-17
Re: [PATCH v10 11/27] ima: Move ima_lsm_policy_notifier into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
[PATCH v10 23/27] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 23/27] ima: Setup securityfs for IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
[PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-16
Re: [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-16
Re: [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-16
Re: [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-16
[PATCH v10 07/27] ima: Move ima_htable into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 07/27] ima: Move ima_htable into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-16
[PATCH v10 19/27] integrity: Add optional callback function to integrity_inode_free() · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
[PATCH v10 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
[PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · "Serge E. Hallyn" <serge@hallyn.com> · 2022-02-05
Re: [PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-06
Re: [PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-07
Re: [PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · "Serge E. Hallyn" <serge@hallyn.com> · 2022-02-23
[PATCH v10 22/27] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 22/27] securityfs: Extend securityfs with namespacing support · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 22/27] securityfs: Extend securityfs with namespacing support · Christian Brauner <brauner@kernel.org> · 2022-02-23
Re: [PATCH v10 22/27] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
[PATCH v10 20/27] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
[PATCH v10 27/27] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 27/27] ima: Enable IMA namespaces · "Serge E. Hallyn" <serge@hallyn.com> · 2022-02-23
Re: [PATCH v10 27/27] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
[PATCH v10 17/27] ima: Add functions for creating and freeing of an ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 17/27] ima: Add functions for creating and freeing of an ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-18
[PATCH v10 10/27] ima: Move IMA securityfs files into ima_namespace or onto stack · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 10/27] ima: Move IMA securityfs files into ima_namespace or onto stack · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
[PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-23
[PATCH v10 15/27] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 15/27] ima: Implement hierarchical processing of file accesses · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-18
[PATCH v10 05/27] ima: Define ima_namespace struct and start moving variables into it · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 05/27] ima: Define ima_namespace struct and start moving variables into it · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-16
Re: [PATCH v10 05/27] ima: Define ima_namespace struct and start moving variables into it · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-16
[PATCH v10 08/27] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 08/27] ima: Move measurement list related variables into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
[PATCH v10 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-18
Re: [PATCH v10 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-18
Re: [PATCH v10 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-18
[PATCH v10 09/27] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 09/27] ima: Move some IMA policy and filesystem related variables into ima_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-17
[PATCH v10 14/27] userns: Add pointer to ima_namespace to user_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 14/27] userns: Add pointer to ima_namespace to user_namespace · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-18
[PATCH v10 25/27] ima: Show owning user namespace's uid and gid when displaying policy · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 25/27] ima: Show owning user namespace's uid and gid when displaying policy · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-23
[PATCH v10 04/27] securityfs: rework dentry creation · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 04/27] securityfs: rework dentry creation · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-10
[PATCH v10 02/27] ima: Do not print policy rule with inactive LSM labels · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-01
Re: [PATCH v10 02/27] ima: Do not print policy rule with inactive LSM labels · Christian Brauner <brauner@kernel.org> · 2022-02-02
Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Christian Brauner <brauner@kernel.org> · 2022-02-02
Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-02
Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Mimi Zohar <zohar@linux.ibm.com> · 2022-02-02
Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-02
Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-02-02

From: Stefan Berger <stefanb@linux.ibm.com>
Date: 2022-02-23 20:45:53
Also in: linux-integrity, lkml

On 2/23/22 12:04, Mimi Zohar wrote:

On Wed, 2022-02-23 at 11:37 -0500, Stefan Berger wrote:

quoted

On 2/23/22 10:38, Mimi Zohar wrote:

quoted

On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:

quoted

Limit the number of policy rules one can set in non-init_ima_ns to a
hardcoded 1024 rules. If the user attempts to exceed this limit by
setting too many additional rules, emit an audit message with the cause
'too-many-rules' and simply ignore the newly added rules.

This paragraph describes 'what' you're doing, not 'why'.  Please prefix
this paragraph with a short, probably one sentence, reason for the
change.

quoted

Switch the accounting for the memory allocated for IMA policy rules to
GFP_KERNEL_ACCOUNT so that cgroups kernel memory accounting takes effect.

Does this change affect the existing IMA policy rules for init_ima_ns?

There's typically no cgroup for the int_ima_ns, so not effect on
init_ima_ns.

Here's the updated text:

Limit the number of policy rules one can set in non-init_ima_ns to a
hardcoded 1024 rules to restrict the amount of memory used for IMA's
policy.

The question is "why" there should be a difference between the
init_ima_ns and non-init_ima_ns cases.  Perhaps something like, "Only


Chistian had suggested it to not have the number of policy rules unbounded.

host root with CAP_SYS_ADMIN may write init_ima_ns policy rules, but in
the non-init_ima_ns case root in the namespace with CAP_MAC_ADMIN
privileges may write IMA policy rules.  Limit the total number of IMA
policy rules per namespace."

What does it have to do with CAP_SYS_ADMIN and CAP_MAC_ADMIN and why 
mention these here? It seem primarily a limit of number of rules to 
avoid huge kernel memory consumption in the case that a cgroup limit for 
memory was not set up.

quoted

  Ignore the added rules if the user attempts to exceed this
limit by setting too many additional rules.

Switch the accounting for the memory allocated for IMA policy rules to
GFP_KERNEL_ACCOUNT so that cgroups kernel memory accounting takes effect.
This switch has no effect on the init_ima_ns.

thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help