On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote: > On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > > Which brings us to the semantic question of would it be nice to have > > > stacked IMA/EVM on the same file. > > > > > > I really don't think we do. I think allowing multiple keys for > > > different part of trusting files is easy enough that we should have no > > > need to fight over which keys do which. > > > > We definitely want to support different policies on the native and in > > the namespace with different keys and keyrings. > > Ok, so Stefan's code to support userspace in a container reading > security.ima and getting back the value for security.ima@uid=1000 > (if 1000 is the kuid of the container's root user) is in fact > useful to IMA? Definitely! Root within the namespace needs to be able to read and write security.ima in order to (re)sign files, with a specific key known to that container. Stefan's code provides different views of the security xattrs. Mimi _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
