[PATCH v14 00/26] ima: Namespace IMA with audit support in IMA-ns
Stefan Berger
stefanb at linux.ibm.com
Fri Sep 16 13:20:55 UTC 2022
On 9/16/22 06:54, Stefan Berger wrote:
>
>
> On 9/15/22 20:56, Casey Schaufler wrote:
>> On 9/15/2022 12:31 PM, Stefan Berger wrote:
>>> The goal of this series of patches is to start with the namespacing of
>>> IMA and support auditing within an IMA namespace (IMA-ns) as the first
>>> step.
>>>
>>> In this series the IMA namespace is piggybacking on the user namespace
>>> and therefore an IMA namespace is created when a user namespace is
>>> created, although this is done late when SecurityFS is mounted inside
>>> a user namespace. The advantage of piggybacking on the user namespace
>>> is that the user namespace can provide the keys infrastructure that IMA
>>> appraisal support will need later on.
>>>
>>> We chose the goal of supporting auditing within an IMA namespace
>>> since it
>>> requires the least changes to IMA. Following this series, auditing
>>> within
>>> an IMA namespace can be activated by a root running the following lines
>>> that rely on a statically linked busybox to be installed on the host for
>>> execution within the minimal container environment:
>>>
>>> As root (since audit rules may now only be set by root):
>>
>> How about calling out the required capabilities? You don't need
>> to be root, you need a specific set of capabilities. It would be
>> very useful for the purposes of understanding the security value
>> of the patch set to know this.
>>
> CAP_AUDIT_WRITE?
>
Currently the capabilities that are required are CAP_SYS_ADMIN, which I
could change to CAP_AUDIT_WRITE. This would result in the following
change to 26/26:
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 760e79bb5a34..40cd19d38f23 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1396,15 +1396,15 @@ static unsigned int
ima_parse_appraise_algos(char *arg)
}
/*
- * Either host root with CAP_SYS_ADMIN in current user namespace or
- * root with CAP_SYS_ADMIN on the host entering a namespace may set
+ * Either host root with CAP_AUDIT_WRITE in current user namespace or
+ * root with CAP_AUDIT_WRITE on the host entering a namespace may set
* audit rules inside a namespace.
*/
static bool may_set_audit_rule_in_ns(kuid_t uid, struct user_namespace
*user_ns)
{
return (uid_eq(uid, GLOBAL_ROOT_UID) &&
- ns_capable(user_ns, CAP_SYS_ADMIN))
- || capable(CAP_SYS_ADMIN);
+ ns_capable(user_ns, CAP_AUDIT_WRITE))
+ || capable(CAP_AUDIT_WRITE);
}
static int ima_parse_rule(struct user_namespace *user_ns,
char *rule, struct ima_rule_entry *entry)
What this check is to prevent is that non-root users spawn a user
namespace and set IMA-audit rules which enables them to flood the audit
log. From what I see non-root users have the full capability set in a
user namespace they spawn. So it has to be filtered to root maybe with
CAP_SYS_WRITE instead of CAP_SYS_ADMIN.
More information about the Linux-security-module-archive
mailing list