Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns

[PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 24/26] ima: Limit number of policy rules in non-init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 04/26] ima: Move arch_policy_entry into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 14/26] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 16/26] ima: Add functions for creating and freeing of an ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 19/26] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 13/26] userns: Add pointer to ima_namespace to user_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 02/26] securityfs: Extend securityfs with namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 22/26] ima: Introduce securityfs file to activate an IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 06/26] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 21/26] ima: Setup securityfs for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 20/26] ima: Remove unused iints from the integrity_iint_cache · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 18/26] integrity: Add optional callback function to integrity_inode_free() · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 25/26] ima: Restrict informational audit messages to init_ima_ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 23/26] ima: Show owning user namespace's uid and gid when displaying policy · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 10/26] ima: Switch to lazy lsm policy updates for better performance · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 07/26] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 17/26] integrity/ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 26/26] ima: Enable IMA namespaces · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 05/26] ima: Move ima_htable into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 03/26] ima: Define ima_namespace struct and start moving variables into it · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
[PATCH v14 01/26] securityfs: rework dentry creation · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-15
Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Casey Schaufler <casey@schaufler-ca.com> · 2022-09-16
Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-16
Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-16
Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Casey Schaufler <casey@schaufler-ca.com> · 2022-09-16
Re: [PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2022-09-20

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2022-09-16 00:56:49
Also in: linux-integrity, lkml

On 9/15/2022 12:31 PM, Stefan Berger wrote:

The goal of this series of patches is to start with the namespacing of
IMA and support auditing within an IMA namespace (IMA-ns) as the first
step.

In this series the IMA namespace is piggybacking on the user namespace
and therefore an IMA namespace is created when a user namespace is
created, although this is done late when SecurityFS is mounted inside
a user namespace. The advantage of piggybacking on the user namespace
is that the user namespace can provide the keys infrastructure that IMA
appraisal support will need later on.

We chose the goal of supporting auditing within an IMA namespace since it
requires the least changes to IMA. Following this series, auditing within
an IMA namespace can be activated by a root running the following lines
that rely on a statically linked busybox to be installed on the host for
execution within the minimal container environment:

As root (since audit rules may now only be set by root):

How about calling out the required capabilities? You don't need
to be root, you need a specific set of capabilities. It would be
very useful for the purposes of understanding the security value
of the patch set to know this.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help