On 12/15/21 16:31, Mimi Zohar wrote:
Hi Stefan, James,
On Fri, 2021-12-10 at 14:47 -0500, Stefan Berger wrote:
Setup securityfs with symlinks, directories, and files for IMA
namespacing support. The same directory structure that IMA uses on the
host is also created for the namespacing case.
The securityfs file and directory ownerships cannot be set when the
IMA namespace is initialized. Therefore, delay the setup of the file
system to a later point when securityfs is in securityfs_fill_super.
This filesystem can now be mounted as follows:
mount -t securityfs /sys/kernel/security/ /sys/kernel/security/
The following directories, symlinks, and files are then available.
$ ls -l sys/kernel/security/
total 0
lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima
drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity
The ima symlink was introduced for backwards compatibilty. Refer to
commit 0c343af8065b ("integrity: Add an integrity directory in
securityfs"). The symlink shouldn't need to be supported in IMA
namespace.
That's backwards compatibility for applications and scripts. If we want
to have these running unmodified inside IMA namespaces I think it's
better to keep the symbolic link and not treat the IMA namespaces any
different than the host.
Stefan
thanks,
Mimi
$ ls -l sys/kernel/security/ima/
total 0
-r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements
-r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements
-rw-------. 1 root root 0 Dec 2 00:18 policy
-r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count
-r--r-----. 1 root root 0 Dec 2 00:18 violations
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>