On Tue, Jan 25, 2022 at 05:46:42PM -0500, Stefan Berger wrote: > From: Stefan Berger <stefanb@xxxxxxxxxxxxx> > > Setup securityfs with symlinks, directories, and files for IMA > namespacing support. The same directory structure that IMA uses on the > host is also created for the namespacing case. > > The securityfs file and directory ownerships cannot be set when the > IMA namespace is initialized. Therefore, delay the setup of the file > system to a later point when securityfs is in securityfs_fill_super. > > Introduce a variable ima_policy_removed in ima_namespace that is used to > remember whether the policy file has previously been removed and thus > should not be created again in case of unmounting and again mounting > securityfs inside an IMA namespace. > > This filesystem can now be mounted as follows: > > mount -t securityfs /sys/kernel/security/ /sys/kernel/security/ > > The following directories, symlinks, and files are available > when IMA namespacing is enabled, otherwise it will be empty: > > $ ls -l sys/kernel/security/ > total 0 > lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima > drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity > > $ ls -l sys/kernel/security/ima/ > total 0 > -r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements > -r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements > -rw-------. 1 root root 0 Dec 2 00:18 policy > -r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count > -r--r-----. 1 root root 0 Dec 2 00:18 violations > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > > --- Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
