Re: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability

[Stefan Berger <stefanb@xxxxxxxxxxxxx>]

On 12/11/21 10:02, Serge E. Hallyn wrote:
> IMO yes it is unsafe, however I concede that I am not sufficiently familiar
> with the policy language.  At least Stefan and Mimi (IIUC) want the host
> policy language to be able to specify cases where an IMA ns can be
> configured.  What's not clear to me is what sorts of triggers the host
> IMA policy could specify that would safely identify a IMA ns generation
> trigger.
>
> Stefan, would you mind showing what such a policy statement would look like?
> Does it amount to "/usr/bin/runc may create an IMA ns which escapes current
> policy" ?  Or is it by UID, or any file which has a certain xattr on it?

If this policy here is active on the host then file executions 
(BPRM_CHECK) of uid=0 should be measured and audited on the host in any 
IMA namespace that uid=0 may create. We achieve this with hierarchical 
processing (v6: 10/17).

measure func=BPRM_CHECK mask=MAY_EXEC uid=0

audit func=BPRM_CHECK mask=MAY_EXEC uid=0

   Stefan


> -serge
>
> On Thu, Dec 09, 2021 at 08:09:20AM +0000, Denis Semakin wrote:
> > Following that thoughts...
> > Will it be so incorrectly to unbound IMA-ns from USER-ns?
> > I realize that it could lead a lot of problems but it is still unclear will current IMA-ns will be useful for Kuber...
> > How userland supposed to use current IMA-ns implementation?
> >
> > Br,
> > Denis
> >
> > -----Original Message-----
> > From: Denis Semakin
> > Sent: Thursday, December 9, 2021 10:22 AM
> > To: 'Stefan Berger' <stefanb@xxxxxxxxxxxxx>; linux-integrity@xxxxxxxxxxxxxxx
> > Cc: zohar@xxxxxxxxxxxxx; serge@xxxxxxxxxx; christian.brauner@xxxxxxxxxx; containers@xxxxxxxxxxxxxxx; dmitry.kasatkin@xxxxxxxxx; ebiederm@xxxxxxxxxxxx; Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx>; Roberto Sassu <roberto.sassu@xxxxxxxxxx>; mpeters@xxxxxxxxxx; lhinds@xxxxxxxxxx; lsturman@xxxxxxxxxx; puiterwi@xxxxxxxxxx; jejb@xxxxxxxxxxxxx; jamjoom@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; paul@xxxxxxxxxxxxxx; rgb@xxxxxxxxxx; linux-security-module@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx
> > Subject: RE: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
> >
> > Hi.
> > My question won't be about capabilities. I'm wondering how IMA-ns which is associated with USER-ns and is created during USER-ns creation would be used by some namespaces orchestration systems, e.g. Kubernetes?.. It seems that it can be run without any user namespaces...
> > Their community just discuss this opportunity to support User namespaces. (see https://github.com/kubernetes/enhancements/pull/2101)
> > Looks like currently IMA-ns will not be applicable for Kubernetes.
> >
> > Br,
> > Denis
> >
> > -----Original Message-----
> > From: Stefan Berger [mailto:stefanb@xxxxxxxxxxxxx]
> > Sent: Thursday, December 9, 2021 1:18 AM
> > To: linux-integrity@xxxxxxxxxxxxxxx
> > Cc: zohar@xxxxxxxxxxxxx; serge@xxxxxxxxxx; christian.brauner@xxxxxxxxxx; containers@xxxxxxxxxxxxxxx; dmitry.kasatkin@xxxxxxxxx; ebiederm@xxxxxxxxxxxx; Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx>; Roberto Sassu <roberto.sassu@xxxxxxxxxx>; mpeters@xxxxxxxxxx; lhinds@xxxxxxxxxx; lsturman@xxxxxxxxxx; puiterwi@xxxxxxxxxx; jejb@xxxxxxxxxxxxx; jamjoom@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; paul@xxxxxxxxxxxxxx; rgb@xxxxxxxxxx; linux-security-module@xxxxxxxxxxxxxxx; jmorris@xxxxxxxxx; Stefan Berger <stefanb@xxxxxxxxxxxxx>; Denis Semakin <denis.semakin@xxxxxxxxxx>
> > Subject: [PATCH v5 14/16] ima: Use mac_admin_ns_capable() to check corresponding capability
> >
> > Use mac_admin_ns_capable() to check corresponding capability to allow read/write IMA policy without CAP_SYS_ADMIN but with CAP_MAC_ADMIN.
> >
> > Signed-off-by: Denis Semakin <denis.semakin@xxxxxxxxxx>
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > ---
> >   include/linux/capability.h      | 6 ++++++
> >   security/integrity/ima/ima_fs.c | 2 +-
> >   2 files changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..991579178f32 100644
> > --- a/include/linux/capability.h
> > +++ b/include/linux/capability.h
> > @@ -270,6 +270,12 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
> >   		ns_capable(ns, CAP_SYS_ADMIN);
> >   }
> >   
> > +static inline bool mac_admin_ns_capable(struct user_namespace *ns) {
> > +	return ns_capable(ns, CAP_MAC_ADMIN) ||
> > +		ns_capable(ns, CAP_SYS_ADMIN);
> > +}
> > +
> >   /* audit system wants to get cap info from files as well */  int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
> >   			   const struct dentry *dentry,
> > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 0e582ceecc7f..a749a3e79304 100644
> > --- a/security/integrity/ima/ima_fs.c
> > +++ b/security/integrity/ima/ima_fs.c
> > @@ -394,7 +394,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)  #else
> >   		if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
> >   			return -EACCES;
> > -		if (!capable(CAP_SYS_ADMIN))
> > +		if (!mac_admin_ns_capable(ns->user_ns))
> >   			return -EPERM;
> >   		return seq_open(filp, &ima_policy_seqops);  #endif
> > --
> > 2.31.1