[RFC PATCH 1/5] ima: extend clone() with IMA namespace support

James Bottomley James.Bottomley at HansenPartnership.com
Tue Jul 25 18:49:14 UTC 2017

On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote:
> On Thu, Jul 20, 2017 at 06:50:29PM -0400, Mehmet Kayaalp wrote:
> > 
> > From: Yuqiong Sun <suny at us.ibm.com>
> > 
> > Add new CONFIG_IMA_NS config option.  Let clone() create a new IMA
> > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in
> > nsproxy.
> > ima_ns is allocated and freed upon IMA namespace creation and exit.
> > Currently, the ima_ns contains no useful IMA data but only a dummy
> > interface. This patch creates the framework for namespacing the
> > different
> > aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal).
> > 
> > Signed-off-by: Yuqiong Sun <suny at us.ibm.com>
> > 
> > Changelog:
> > * Use CLONE_NEWNS instead of a new CLONE_NEWIMA flag
> Hi,
> So this means that every mount namespace clone will clone a new IMA
> namespace.  Is that really ok?

Based on what: space concerns (struct ima_ns is reasonably small)? or
whether tying it to the mount namespace is the correct thing to do.  On
the latter, it does seem that this should be a property of either the
mount or user ns rather than its own separate ns.  I could see a use
where even a container might want multiple ima keyrings within the
container (say containerised apache service with multiple tenants), so
instinct tells me that mount ns is the correct granularity for this.


To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list