[PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns

Stefan Berger stefanb at linux.ibm.com
Wed Feb 2 14:40:24 UTC 2022


On 2/2/22 09:13, Christian Brauner wrote:
> On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
>>
>> v10:
>>   - Added A-b's; addressed issues from v9
>>   - Added 2 patches to support freeing of iint after namespace deletion
>>   - Added patch to return error code from securityfs functions
>>   - Added patch to limit number of policy rules in IMA-ns to 1024
> I'm going to go take a lighter touch with this round of reviews.
> First, because I have February off. :)
> Second, because I think that someone who is more familiar with IMA and
> its requirements should take another look to provide input and ask more
> questions. Last time I spoke to Serge he did want to give this a longer
> look and maybe also has additional questions.

The one problem I am seeing is that we probably cannot support auditing 
in IMA namespaces since every user can now create an IMA namespace. 
Unless auditing was namespaced, the way it is now gives too much control 
to the user to flood the host audit log. So, we may need to head towards 
support for IMA measurements in the IMA namespace right away and not 
support audit rules but also possibly eliminate other actions that are 
being audited by IMA to not occur while an IMA namespace is active, such 
as when policy rules are being set etc. Not supporting auditing in 
IMA-ns affects only few of the patches in this series. We need most of 
them for a basis of IMA measurements but to get to IMA measurements 
along with support for inheritance and configuration of hash algorithm 
and log template etc. to use in the IMA namespace and set it in its 
configuration 'stage' (before activation), we will need at least 25 more 
patches on top of what have here now... so this series will then be 
around 50 patches.

    Stefan



More information about the Linux-security-module-archive mailing list