This patch set implements an IMA namespace data structure that gets created by first writing a '1' into IMA's securityfs unshare file at /sys/kernel/security/ima/unshare and then by clone(). This patch set lays down the foundation for namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement, IMA-appraisal). The original PoC patches created a new CLONE_NEWIMA flag to explicitly control when a new IMA namespace should be created. The previously posted version 2 of this series had it hooked on the mount namespace, which was regarded as inappropriate. The subsequent v3 tied it to the creation of a user namespace. Based on comments, we elected to now again create an independent IMA namespace through the above mentioned securityfs file. The first patch creates the ima_namespace data, while the second patch puts the iint->flags in the namespace. The third patch introduces an audit message type for IMA policy rules. The fourth patch introduces a new IMA policy rule attribute 'ns' making rules only applicable to child IMA namespaces. The last patch uses the flags for namespacing the IMA-audit messages, enabling the same file to be audited each time it is accessed in a new namespace. Stefan Mehmet Kayaalp (2): ima: Add ns_status for storing namespaced iint data ima: namespace audit status flags Mimi Zohar (1): ima: differentiate auditing policy rules from "audit" actions Stefan Berger (1): ima: extend IMA audit policy rules with attribute to audit namespaces Yuqiong Sun (1): ima: Add IMA namespace support fs/proc/namespaces.c | 3 + include/linux/ima.h | 53 +++++++++ include/linux/nsproxy.h | 2 + include/linux/proc_ns.h | 1 + include/linux/sched.h | 6 + include/linux/user_namespace.h | 1 + include/uapi/linux/audit.h | 3 +- init/Kconfig | 11 ++ kernel/fork.c | 5 + kernel/nsproxy.c | 25 ++++- kernel/ucount.c | 1 + security/integrity/ima/Makefile | 3 +- security/integrity/ima/ima.h | 82 +++++++++++++- security/integrity/ima/ima_api.c | 14 ++- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_fs.c | 55 ++++++++++ security/integrity/ima/ima_init.c | 4 + security/integrity/ima/ima_init_ima_ns.c | 51 +++++++++ security/integrity/ima/ima_main.c | 18 ++- security/integrity/ima/ima_ns.c | 183 +++++++++++++++++++++++++++++++ security/integrity/ima/ima_ns_status.c | 133 ++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 77 ++++++++++++- 22 files changed, 712 insertions(+), 21 deletions(-) create mode 100644 security/integrity/ima/ima_init_ima_ns.c create mode 100644 security/integrity/ima/ima_ns.c create mode 100644 security/integrity/ima/ima_ns_status.c -- 2.14.3
