On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems. In that case, for IMA it > > would make sense to support a native and a namespace xattr. If due > > to xattr space limitations we have to limit the number of xattrs, > > then we should limit it to two - a native and a namespace version, > > with a "uid=" tag - first namespace gets permission to write the > > namespace xattr. Again, like in the layered case, if the namespace > > xattr doesn't exist, fall back to using the native xattr. > > Just on this point: if we're really concerned about the need on shared > filesystems to have multiple IMA signatures per file, might it not make > sense simply to support multiple signatures within the security.ima > xattr? The rules for writing signature updates within user namespaces > would be somewhat complex (say only able to replace a signature for > which you demonstrate you possess the key) but it would lead to an > implementation which would work for traditional shared filesystems > (like NFS) as well as containerised bind mounts. Writing security.ima requires being root with CAP_SYS_ADMIN privileges. I wouldn't want to give root within the namespace permission to over write or just extend the native security.ima. Mimi _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
