Re: [RFC PATCH 00/30] ima: Introduce IMA namespace

From: Christian Brauner
Date: Tue Aug 18 2020 - 12:49:51 EST

Next message: Muni Sekhar: "Re: Scheduler benchmarks"
Previous message: Jason Gunthorpe: "Re: [PATCH RFC v2 00/18] Add VFIO mediated device support and DEV-MSI support for the idxd driver"
In reply to: Krzysztof Struczynski: "RE: [RFC PATCH 00/30] ima: Introduce IMA namespace"
Next in thread: Krzysztof Struczynski: "RE: [RFC PATCH 00/30] ima: Introduce IMA namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 18, 2020 at 05:20:07PM +0200, krzysztof.struczynski@xxxxxxxxxx wrote:
> From: Krzysztof Struczynski <krzysztof.struczynski@xxxxxxxxxx>
>
> IMA has not been designed to work with containers. It handles every
> process in the same way, and it cannot distinguish if a process belongs to
> a container or not.
>
> Containers use namespaces to make it appear to the processes in the
> containers that they have their own isolated instance of the global
> resource. For IMA as well, it is desirable to let processes in the

IMA is brought up on a regular basis with "we want to have this" for
years and then non-one seems to really care enough.

I'm highly skeptical of the value of ~2500 lines of code even if it
includes a bunch of namespace boilerplate. It's yet another namespace,
and yet another security framework.
Why does IMA need to be a separate namespace? Keyrings are tied to user
namespaces why can't IMA be? I believe Eric has even pointed that out
before.

Eric, thoughts?

Christian

Next message: Muni Sekhar: "Re: Scheduler benchmarks"
Previous message: Jason Gunthorpe: "Re: [PATCH RFC v2 00/18] Add VFIO mediated device support and DEV-MSI support for the idxd driver"
In reply to: Krzysztof Struczynski: "RE: [RFC PATCH 00/30] ima: Introduce IMA namespace"
Next in thread: Krzysztof Struczynski: "RE: [RFC PATCH 00/30] ima: Introduce IMA namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]