[RFC PATCH 00/30] ima: Introduce IMA namespace

Christian Brauner christian.brauner at ubuntu.com
Tue Aug 18 16:49:43 UTC 2020


On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski at huawei.com wrote:
> From: Krzysztof Struczynski <krzysztof.struczynski at huawei.com>
> 
> IMA has not been designed to work with containers. It handles every
> process in the same way, and it cannot distinguish if a process belongs to
> a container or not.
> 
> Containers use namespaces to make it appear to the processes in the
> containers that they have their own isolated instance of the global
> resource. For IMA as well, it is desirable to let processes in the

IMA is brought up on a regular basis with "we want to have this" for
years and then non-one seems to really care enough.

I'm highly skeptical of the value of ~2500 lines of code even if it
includes a bunch of namespace boilerplate. It's yet another namespace,
and yet another security framework.
Why does IMA need to be a separate namespace? Keyrings are tied to user
namespaces why can't IMA be? I believe Eric has even pointed that out
before.

Eric, thoughts?

Christian



More information about the Linux-security-module-archive mailing list