[PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns
Mimi Zohar
zohar at linux.ibm.com
Wed Feb 2 16:04:18 UTC 2022
On Wed, 2022-02-02 at 09:40 -0500, Stefan Berger wrote:
> On 2/2/22 09:13, Christian Brauner wrote:
> > On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
> >>
> >> v10:
> >> - Added A-b's; addressed issues from v9
> >> - Added 2 patches to support freeing of iint after namespace deletion
> >> - Added patch to return error code from securityfs functions
> >> - Added patch to limit number of policy rules in IMA-ns to 1024
> > I'm going to go take a lighter touch with this round of reviews.
> > First, because I have February off. :)
> > Second, because I think that someone who is more familiar with IMA and
> > its requirements should take another look to provide input and ask more
> > questions. Last time I spoke to Serge he did want to give this a longer
> > look and maybe also has additional questions.
>
> The one problem I am seeing is that we probably cannot support auditing
> in IMA namespaces since every user can now create an IMA namespace.
> Unless auditing was namespaced, the way it is now gives too much control
> to the user to flood the host audit log.
Stefan, we need to differentiate between the different types of audit
records being produced by IMA. Some of these are informational, like
the policy rules being loaded or "Time of Measure, Time of Use"
(ToMToU) records. When we discuss IMA-audit we're referring to the
file hashes being added in the audit log. These are the result of the
IMA "audit" policy rules.
How much of these informational messages should be audited in IMA
namespaces still needs to be discussed. For now, feel free to limit
the audit messages to just the file hashes.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list