On Mon, 2021-12-13 at 16:11 -0500, Stefan Berger wrote:
> On 12/10/21 14:47, Stefan Berger wrote:
> > Implement an IMA namespace data structure that gets created alongside a
> > user namespace with CLONE_NEWUSER. This lays down the foundation for
> > namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement,
> > IMA-appraisal).
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > Suggested-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
> > ---
> > include/linux/ima.h | 37 +++++++++++++
> > include/linux/user_namespace.h | 4 ++
> > init/Kconfig | 10 ++++
> > kernel/user.c | 7 +++
> > kernel/user_namespace.c | 8 +++
> > security/integrity/ima/Makefile | 3 +-
> > security/integrity/ima/ima.h | 4 ++
> > security/integrity/ima/ima_init.c | 4 ++
> > security/integrity/ima/ima_init_ima_ns.c | 32 +++++++++++
> > security/integrity/ima/ima_ns.c | 69 ++++++++++++++++++++++++
> > 10 files changed, 177 insertions(+), 1 deletion(-)
> > create mode 100644 security/integrity/ima/ima_init_ima_ns.c
> > create mode 100644 security/integrity/ima/ima_ns.c
> >
> > diff --git a/include/linux/ima.h b/include/linux/ima.h
> > index b6ab66a546ae..f282e40c316c 100644
> > --- a/include/linux/ima.h
> > +++ b/include/linux/ima.h
> > @@ -11,6 +11,7 @@
> > #include <linux/fs.h>
> > #include <linux/security.h>
> > #include <linux/kexec.h>
> > +#include <linux/user_namespace.h>
> > #include <crypto/hash_info.h>
> > struct linux_binprm;
> >
> > @@ -210,6 +211,42 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
> > }
> > #endif /* CONFIG_IMA_APPRAISE */
> >
> > +struct ima_namespace {
> > + int avoid_zero_size;
> > +};
>
>
> I moved the structure to security/integrity/ima/ima.h for v7 and added
> __randomize_layout to it.
Much better than being in the public ima.h.
thanks!
Mimi
