On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote: > Setup securityfs with symlinks, directories, and files for IMA > namespacing support. The same directory structure that IMA uses on the > host is also created for the namespacing case. > > The securityfs file and directory ownerships cannot be set when the > IMA namespace is initialized. Therefore, delay the setup of the file > system to a later point when securityfs is in securityfs_fill_super. > > Introduce a variable ima_policy_removed in ima_namespace that is used to > remember whether the policy file has previously been removed and thus > should not be created again in case of unmounting and again mounting > securityfs inside an IMA namespace. When the ability of extending the custom IMA policy was added, support for displaying the policy was added. (Refer to the IMA_READ_POLICY Kconfig.) This patch set adds support for a user, true root in the namespace, to be able to write a custom policy. If the IMA_READ_POLICY is not enabled, then nobody, including host root, will be able to view it. Instead of continuing to support not being able to read the IMA policy, updating the IMA_READ_POLICY Kconfig for the IMA_NS case to require it seems preferable. > This filesystem can now be mounted as follows: > > mount -t securityfs /sys/kernel/security/ /sys/kernel/security/ > > The following directories, symlinks, and files are available > when IMA namespacing is enabled, otherwise it will be empty: > > $ ls -l sys/kernel/security/ > total 0 > lr--r--r--. 1 root root 0 Dec 2 00:18 ima -> integrity/ima > drwxr-xr-x. 3 root root 0 Dec 2 00:18 integrity > > $ ls -l sys/kernel/security/ima/ > total 0 > -r--r-----. 1 root root 0 Dec 2 00:18 ascii_runtime_measurements > -r--r-----. 1 root root 0 Dec 2 00:18 binary_runtime_measurements > -rw-------. 1 root root 0 Dec 2 00:18 policy > -r--r-----. 1 root root 0 Dec 2 00:18 runtime_measurements_count > -r--r-----. 1 root root 0 Dec 2 00:18 violations > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > Acked-by: Christian Brauner <brauner@xxxxxxxxxx> Otherwise, Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
