[PATCH v5 15/16] ima: Move dentries into ima_namespace
Mimi Zohar
zohar at linux.ibm.com
Fri Dec 10 13:02:13 UTC 2021
On Fri, 2021-12-10 at 07:40 -0500, Stefan Berger wrote:
> On 12/10/21 07:09, Mimi Zohar wrote:
> > On Fri, 2021-12-10 at 12:49 +0100, Christian Brauner wrote:
> >>> There's still the problem that if you write the policy, making the file
> >>> disappear then unmount and remount securityfs it will come back. My
> >>> guess for fixing this is that we only stash the policy file reference,
> >>> create it if NULL but then set the pointer to PTR_ERR(-EINVAL) or
> >>> something and refuse to create it for that value.
> >> Some sort of indicator that gets stashed in struct ima_ns that the file
> >> does not get recreated on consecutive mounts. That shouldn't be hard to
> >> fix.
> > The policy file disappearing is for backwards compatibility, prior to
> > being able to extend the custom policy. For embedded usecases,
> > allowing the policy to be written exactly once might makes sense. Do
> > we really want/need to continue to support removing the policy in
> > namespaces?
>
> I don't have an answer but should the behavior for the same #define in
> this case be different for host and namespaces? Or should we just
> 'select IMA_WRITE_POLICY and IMA_READ_POLICY' when IMA_NS is selected?
The latter option sounds good. Being able to analyze the namespace
policy is really important.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list