On 11/29/21 07:50, James Bottomley wrote:
On Sun, 2021-11-28 at 22:58 -0600, Serge E. Hallyn wrote:
On Sat, Nov 27, 2021 at 04:45:49PM +0000, James Bottomley wrote:
Currently we get one entry in the IMA log per unique file
event. So, if you have a measurement policy and it measures a
particular binary it will not get measured again if it is
subsequently executed. For Namespaced IMA, the correct behaviour
seems to be to log once per inode per namespace (so every unique
execution in a namespace gets a separate log entry). Since logging
once per inode per namespace is
I suspect I'll need to do a more in depth reading of the existing
code, but I'll ask the lazy question anyway (since you say "the
correct behavior seems to be") - is it actually important that
files which were appraised under a parent namespace's policy already
should be logged again?
I think so. For a couple of reasons, assuming the namespace eventually
gets its own log entries, which the next incremental patch proposed to
do by virtualizing the securityfs entries. If you don't do this:
To avoid duplicate efforts, an implementation of a virtualized
securityfs is in this series here:
https://github.com/stefanberger/linux-ima-namespaces/commits/v5.15%2Bimans.20211119.v3
It starts with 'securityfs: Prefix global variables with secruityfs_'
Stefan
