[PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns

Fri Sep 16 13:20:55 UTC 2022

On 9/16/22 06:54, Stefan Berger wrote:
> 
> 
> On 9/15/22 20:56, Casey Schaufler wrote:
>> On 9/15/2022 12:31 PM, Stefan Berger wrote:
>>> The goal of this series of patches is to start with the namespacing of
>>> IMA and support auditing within an IMA namespace (IMA-ns) as the first
>>> step.
>>>
>>> In this series the IMA namespace is piggybacking on the user namespace
>>> and therefore an IMA namespace is created when a user namespace is
>>> created, although this is done late when SecurityFS is mounted inside
>>> a user namespace. The advantage of piggybacking on the user namespace
>>> is that the user namespace can provide the keys infrastructure that IMA
>>> appraisal support will need later on.
>>>
>>> We chose the goal of supporting auditing within an IMA namespace 
>>> since it
>>> requires the least changes to IMA. Following this series, auditing 
>>> within
>>> an IMA namespace can be activated by a root running the following lines
>>> that rely on a statically linked busybox to be installed on the host for
>>> execution within the minimal container environment:
>>>
>>> As root (since audit rules may now only be set by root):
>>
>> How about calling out the required capabilities? You don't need
>> to be root, you need a specific set of capabilities. It would be
>> very useful for the purposes of understanding the security value
>> of the patch set to know this.
>>
> CAP_AUDIT_WRITE?
> 

Currently the capabilities that are required are CAP_SYS_ADMIN, which I 
could change to CAP_AUDIT_WRITE. This would result in the following 
change to 26/26:

  diff --git a/security/integrity/ima/ima_policy.c 
b/security/integrity/ima/ima_policy.c
index 760e79bb5a34..40cd19d38f23 100644

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1396,15 +1396,15 @@ static unsigned int 
ima_parse_appraise_algos(char *arg)
  }

  /*
- * Either host root with CAP_SYS_ADMIN in current user namespace or
- * root with CAP_SYS_ADMIN on the host entering a namespace may set
+ * Either host root with CAP_AUDIT_WRITE in current user namespace or
+ * root with CAP_AUDIT_WRITE on the host entering a namespace may set
   * audit rules inside a namespace.
   */
  static bool may_set_audit_rule_in_ns(kuid_t uid, struct user_namespace 
*user_ns)
  {
         return (uid_eq(uid, GLOBAL_ROOT_UID) &&
-               ns_capable(user_ns, CAP_SYS_ADMIN))
-               || capable(CAP_SYS_ADMIN);
+               ns_capable(user_ns, CAP_AUDIT_WRITE))
+               || capable(CAP_AUDIT_WRITE);
  }
  static int ima_parse_rule(struct user_namespace *user_ns,
                           char *rule, struct ima_rule_entry *entry)


What this check is to prevent is that non-root users spawn a user 
namespace and set IMA-audit rules which enables them to flood the audit 
log. From what I see non-root users have the full capability set in a 
user namespace they spawn. So it has to be filtered to root maybe with 
CAP_SYS_WRITE instead of CAP_SYS_ADMIN.

