[PATCH v9 20/23] ima: Setup securityfs for IMA namespace
Christian Brauner
brauner at kernel.org
Wed Jan 26 14:03:54 UTC 2022
On Tue, Jan 25, 2022 at 05:46:42PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.ibm.com>
>
> Setup securityfs with symlinks, directories, and files for IMA
> namespacing support. The same directory structure that IMA uses on the
> host is also created for the namespacing case.
>
> The securityfs file and directory ownerships cannot be set when the
> IMA namespace is initialized. Therefore, delay the setup of the file
> system to a later point when securityfs is in securityfs_fill_super.
>
> Introduce a variable ima_policy_removed in ima_namespace that is used to
> remember whether the policy file has previously been removed and thus
> should not be created again in case of unmounting and again mounting
> securityfs inside an IMA namespace.
>
> This filesystem can now be mounted as follows:
>
> mount -t securityfs /sys/kernel/security/ /sys/kernel/security/
>
> The following directories, symlinks, and files are available
> when IMA namespacing is enabled, otherwise it will be empty:
>
> $ ls -l sys/kernel/security/
> total 0
> lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima
> drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity
>
> $ ls -l sys/kernel/security/ima/
> total 0
> -r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements
> -r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements
> -rw-------. 1 root root 0 Dec 2 00:18 policy
> -r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count
> -r--r-----. 1 root root 0 Dec 2 00:18 violations
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> Signed-off-by: James Bottomley <James.Bottomley at HansenPartnership.com>
>
> ---
Acked-by: Christian Brauner <brauner at kernel.org>
More information about the Linux-security-module-archive
mailing list