On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@xxxxxxxxxx wrote: > From: Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx> > > IMA has not been designed to work with containers. It handles every > process in the same way, and it cannot distinguish if a process belongs to > a container or not. > > Containers use namespaces to make it appear to the processes in the > containers that they have their own isolated instance of the global > resource. For IMA as well, it is desirable to let processes in the IMA is brought up on a regular basis with "we want to have this" for years and then non-one seems to really care enough. I'm highly skeptical of the value of ~2500 lines of code even if it includes a bunch of namespace boilerplate. It's yet another namespace, and yet another security framework. Why does IMA need to be a separate namespace? Keyrings are tied to user namespaces why can't IMA be? I believe Eric has even pointed that out before. Eric, thoughts? Christian
