Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 12/1/21 17:19, James Bottomley wrote:
On Wed, 2021-12-01 at 17:09 -0500, Stefan Berger wrote:
On 12/1/21 17:01, James Bottomley wrote:



I don't see this because my setup for everything is triggered off
the first use of the IMA namespace.  You'd need to have some type
of lazy setup of the inodes as well to give unshare time to install
the uid/gidmappings.
What could trigger that? A callback while mounting - but I am not
sure where to hook into then. What is your mechanisms to trigger as
the 'first use of the IMA namespace'? What is 'use' here?
use for me is first event that gets logged in the new namespace.

However, I don't think this is a good trigger, it's just a random thing
I was playing with.  Perhaps trigger on mount is a good one ... that
could be done from securityfs_ns_init_fs_context?

Yes, this here does the trick now for late init also with runc. The late uid adjustments are gone.

static int securityfs_ns_init_fs_context(struct fs_context *fc)
{
        int rc;

        if (fc->user_ns->ima_ns->late_fs_init) {
                rc = fc->user_ns->ima_ns->late_fs_init(fc->user_ns);
                if (rc)
                        return rc;
        }
        fc->ops = &securityfs_ns_context_ops;
        return 0;
}


   Stefan



James








[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux