Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2/2/22 09:13, Christian Brauner wrote:
On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:

v10:
  - Added A-b's; addressed issues from v9
  - Added 2 patches to support freeing of iint after namespace deletion
  - Added patch to return error code from securityfs functions
  - Added patch to limit number of policy rules in IMA-ns to 1024
I'm going to go take a lighter touch with this round of reviews.
First, because I have February off. :)
Second, because I think that someone who is more familiar with IMA and
its requirements should take another look to provide input and ask more
questions. Last time I spoke to Serge he did want to give this a longer
look and maybe also has additional questions.

The one problem I am seeing is that we probably cannot support auditing in IMA namespaces since every user can now create an IMA namespace. Unless auditing was namespaced, the way it is now gives too much control to the user to flood the host audit log. So, we may need to head towards support for IMA measurements in the IMA namespace right away and not support audit rules but also possibly eliminate other actions that are being audited by IMA to not occur while an IMA namespace is active, such as when policy rules are being set etc. Not supporting auditing in IMA-ns affects only few of the patches in this series. We need most of them for a basis of IMA measurements but to get to IMA measurements along with support for inheritance and configuration of hash algorithm and log template etc. to use in the IMA namespace and set it in its configuration 'stage' (before activation), we will need at least 25 more patches on top of what have here now... so this series will then be around 50 patches.

   Stefan




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux