On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
> Define the ima_namespace structure and the ima_namespace variable
> init_ima_ns for the host's IMA namespace. Implement basic functions for
> namespacing support.
Implement the basic functions - ima_ns_init() and ima_init_namespace()
- for namespacing support.
>
> Move variables related to the IMA policy into the ima_namespace. This way
> the IMA policy of an IMA namespace can be set and displayed using a
> front-end like securityfs.
> Implement ima_ns_from_file() to get the IMA namespace via the user
> namespace of the securityfs superblock that a file belongs to.
Currently, ima_ns_from_file() doesn't exist in this patch.
>
> To get the current ima_namespace use &init_ima_ns when a function
> that is related to a policy rule is called.
In preparation for IMA namespacing, update the existing functions to
pass the ima_namespace struct. For now, ...
>
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
After addressing the one inline comment,
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>
> ---
>
> @@ -119,6 +117,17 @@ struct ima_kexec_hdr {
> u64 count;
> };
>
> +struct ima_namespace {
> + /* policy rules */
> + struct list_head ima_default_rules;
> + struct list_head ima_policy_rules;
> + struct list_head ima_temp_rules;
These local policy variables weren't previously commented, but with the
move to a structure it would be good to add comments. For example, the
architecture policy rules persist even after a custom policy is loaded.
ima_default_rules: /* Kconfig, builtin, & arch rules */
ima_policy_rules: /* arch & custom rules */
> +
> + struct list_head __rcu *ima_rules; /* current policy */
/* Pointer to the current policy */.
> + int ima_policy_flag;
> +} __randomize_layout;
> +extern struct ima_namespace init_ima_ns;
> +
> extern const int read_idmap[];
>
> #ifdef CONFIG_HAVE_IMA_KEXEC
>
> {
> + struct ima_namespace *ns = &init_ima_ns;
> char *data;
> ssize_t result;
>
