[PATCH v7 00/14] ima: Namespace IMA with audit support in IMA-ns

Stefan Berger stefanb at linux.ibm.com
Mon Dec 27 17:29:42 UTC 2021 

On 12/17/21 05:06, Christian Brauner wrote:
> On Thu, Dec 16, 2021 at 04:00:40PM -0500, Stefan Berger wrote:
>>
>> But that could still mean a lot of contention on iint->mutex since this
>> lock is global, i.e. in this context: for all ima namespaces. You might
>> want to consider coming up with some rough ideas for how to solve this
>> _if_ this becomes a problem in the future.
>>
>> The plan is that each IMA namespace will have its own rbtree with its own
>> set of iints. We cannot do it all at the same time, so this will take while
>> until things can be completely moved over into a per-IMA namespace rbtree
>> and each IMA namespace becomes fully independent.
> Ok, good to hear that you have already thought about that.


Well, yes, we thought about it. However, as far as I can look ahead we 
cannot get rid of the iint->mutex:

Obviously we have to organize the data structures where IMA is recording 
what it has done with a file/inode in such a way that each namespace can 
efficiently determine whether it needs to audit/measure/appraise a file 
or re-audit/re-measure/re-appraise it after file modification. The 
organization of these data structures also has to reflect the fact that 
files can be shared between IMA namespaces via setns() on mount 
namespaces or shared files or shared mount namespaces between containers 
etc.. So, the first thing we do already is move audit-related flags into 
what is called the ns_status (namespace status) structure that are kept 
in a per-IMA namespace rbtree. This allows IMA to remember that a file 
was already audited and it doesn't need to audit it again. The lookup 
via rbtree is quick: O(log(n).

Unfortunately the previous series had a bug so that files were not 
re-audited after they were modified. I fixed this now in the new series 
(upcoming v8) by connecting each ns_status also to a list. This list 
starts in the global inode integrity cache (the iint rbtree) where each 
inode that any IMA namespace accessed has an iint entry today. The lists 
start on the iint entries representing inodes.  When files are deleted 
or modified or xattrs are modified then all IMA namespaces need to 
re-audit/re-measure/re-appraise the file (depending on policy) and for 
this we have to reset flags across all the IMA namespaces by walking the 
list of ns_status entries. The organization via iint rbtree and 
ns_status list allows for quick lookup of the inode where the 
modification happened and quick reset of the flags: O(log(n)) + O(n). 
This is better than having to search all namespaces to reset the flags 
(O(log(n) * n) if there was no list.


     Stefan

More information about the Linux-security-module-archive mailing list