On 12/10/21 14:47, Stefan Berger wrote:
Implement an IMA namespace data structure that gets created alongside a
user namespace with CLONE_NEWUSER. This lays down the foundation for
namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement,
IMA-appraisal).
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Suggested-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
---
include/linux/ima.h | 37 +++++++++++++
include/linux/user_namespace.h | 4 ++
init/Kconfig | 10 ++++
kernel/user.c | 7 +++
kernel/user_namespace.c | 8 +++
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 4 ++
security/integrity/ima/ima_init.c | 4 ++
security/integrity/ima/ima_init_ima_ns.c | 32 +++++++++++
security/integrity/ima/ima_ns.c | 69 ++++++++++++++++++++++++
10 files changed, 177 insertions(+), 1 deletion(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
create mode 100644 security/integrity/ima/ima_ns.c
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b6ab66a546ae..f282e40c316c 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/security.h>
#include <linux/kexec.h>
+#include <linux/user_namespace.h>
#include <crypto/hash_info.h>
struct linux_binprm;
@@ -210,6 +211,42 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
}
#endif /* CONFIG_IMA_APPRAISE */
+struct ima_namespace {
+ int avoid_zero_size;
+};
I moved the structure to security/integrity/ima/ima.h for v7 and added
__randomize_layout to it.
Stefan