[PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns

[Stefan Berger]

On 2/2/22 11:04, Mimi Zohar wrote:
> On Wed, 2022-02-02 at 09:40 -0500, Stefan Berger wrote:
>> On 2/2/22 09:13, Christian Brauner wrote:
>>> On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
>>>> v10:
>>>>    - Added A-b's; addressed issues from v9
>>>>    - Added 2 patches to support freeing of iint after namespace deletion
>>>>    - Added patch to return error code from securityfs functions
>>>>    - Added patch to limit number of policy rules in IMA-ns to 1024
>>> I'm going to go take a lighter touch with this round of reviews.
>>> First, because I have February off. :)
>>> Second, because I think that someone who is more familiar with IMA and
>>> its requirements should take another look to provide input and ask more
>>> questions. Last time I spoke to Serge he did want to give this a longer
>>> look and maybe also has additional questions.
>> The one problem I am seeing is that we probably cannot support auditing
>> in IMA namespaces since every user can now create an IMA namespace.
>> Unless auditing was namespaced, the way it is now gives too much control
>> to the user to flood the host audit log.
> Stefan, we need to differentiate between the different types of audit
> records being produced by IMA.  Some of these are informational, like
> the policy rules being loaded or "Time of Measure, Time of Use"
> (ToMToU) records.  When we discuss IMA-audit we're referring to the
> file hashes being added in the audit log.  These are the result of the
> IMA "audit" policy rules.
>
> How much of these informational messages should be audited in IMA
> namespaces still needs to be discussed.  For now, feel free to limit
> the audit messages to just the file hashes.
I doubt we should let a user produce informational audit messages or 
audit messages related to file hashes... it's unfortunate, but it opens 
a door for abuse.

> thanks,
>
> Mimi
>