Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-22 Thread Stefan Berger
On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the user_ns: commit

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-22 Thread Stefan Berger
On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the user_ns: commit

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-21 Thread Mimi Zohar
On Thu, 2018-03-15 at 15:35 -0500, Eric W. Biederman wrote: > Stefan Berger writes: > > On 03/15/2018 03:20 PM, Eric W. Biederman wrote: [..] > >> From previous conversations I remember that there is a legitimate > >> bootstrap problem for IMA. That needs to be

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-21 Thread Mimi Zohar
On Thu, 2018-03-15 at 15:35 -0500, Eric W. Biederman wrote: > Stefan Berger writes: > > On 03/15/2018 03:20 PM, Eric W. Biederman wrote: [..] > >> From previous conversations I remember that there is a legitimate > >> bootstrap problem for IMA. That needs to be looked at, and I am not > >>

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-16 Thread Stefan Berger
On 03/15/2018 03:15 PM, Stefan Berger wrote: On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-16 Thread Stefan Berger
On 03/15/2018 03:15 PM, Stefan Berger wrote: On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > On 03/15/2018 03:20 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > On 03/15/2018 02:45

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > On 03/15/2018 03:20 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 03:20 PM, Eric W. Biederman wrote: Stefan Berger writes: On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 03:20 PM, Eric W. Biederman wrote: Stefan Berger writes: On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > On 03/15/2018 03:01 PM, James Bottomley wrote: >> On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: >>> On 03/15/2018 02:45 PM, James Bottomley wrote: >> [...] >> going to need some type of keyring namespace and there's >> already

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > On 03/15/2018 03:01 PM, James Bottomley wrote: >> On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: >>> On 03/15/2018 02:45 PM, James Bottomley wrote: >> [...] >> going to need some type of keyring namespace and there's >> already >> one hanging off the

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the user_ns: commit

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 03:01 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: On 03/15/2018 02:45 PM, James Bottomley wrote: [...] going to need some type of keyring namespace and there's already one hanging off the user_ns: commit

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > On 03/15/2018 02:45 PM, James Bottomley wrote: [...] > > > > going to need some type of keyring namespace and there's > > > > already > > > > one hanging off the user_ns: > > > > > > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e > >

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 14:51 -0400, Stefan Berger wrote: > On 03/15/2018 02:45 PM, James Bottomley wrote: [...] > > > > going to need some type of keyring namespace and there's > > > > already > > > > one hanging off the user_ns: > > > > > > > > commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e > >

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 02:45 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:26 -0400, Stefan Berger wrote: On 03/15/2018 01:33 PM, James Bottomley wrote: On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: [...] IMA measures the files described by these paths. The files also may hold

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 02:45 PM, James Bottomley wrote: On Thu, 2018-03-15 at 14:26 -0400, Stefan Berger wrote: On 03/15/2018 01:33 PM, James Bottomley wrote: On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: [...] IMA measures the files described by these paths. The files also may hold

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 14:26 -0400, Stefan Berger wrote: > On 03/15/2018 01:33 PM, James Bottomley wrote: > > > > On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: [...] > > > > > > IMA measures the files described by these paths. The files also > > > may hold signatures (security.ima

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 14:26 -0400, Stefan Berger wrote: > On 03/15/2018 01:33 PM, James Bottomley wrote: > > > > On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: [...] > > > > > > IMA measures the files described by these paths. The files also > > > may hold signatures (security.ima

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 01:33 PM, James Bottomley wrote: On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: On 03/15/2018 06:40 AM, Eric W. Biederman wrote: Stefan Berger writes: From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone()

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 01:33 PM, James Bottomley wrote: On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: On 03/15/2018 06:40 AM, Eric W. Biederman wrote: Stefan Berger writes: From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: > On 03/15/2018 06:40 AM, Eric W. Biederman wrote: > > > > Stefan Berger writes: > > > > > > > > From: Yuqiong Sun > > > > > > Add new CONFIG_IMA_NS config option.  Let clone() create a new >

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread James Bottomley
On Thu, 2018-03-15 at 11:26 -0400, Stefan Berger wrote: > On 03/15/2018 06:40 AM, Eric W. Biederman wrote: > > > > Stefan Berger writes: > > > > > > > > From: Yuqiong Sun > > > > > > Add new CONFIG_IMA_NS config option.  Let clone() create a new > > > IMA namespace upon CLONE_NEWNS flag. Add

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 06:40 AM, Eric W. Biederman wrote: Stefan Berger writes: From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. ima_ns is allocated

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Stefan Berger
On 03/15/2018 06:40 AM, Eric W. Biederman wrote: Stefan Berger writes: From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. ima_ns is allocated and freed upon IMA namespace creation and

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > From: Yuqiong Sun > > Add new CONFIG_IMA_NS config option. Let clone() create a new IMA > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. > ima_ns is allocated and freed upon IMA namespace creation and

Re: [RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-15 Thread Eric W. Biederman
Stefan Berger writes: > From: Yuqiong Sun > > Add new CONFIG_IMA_NS config option. Let clone() create a new IMA > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. > ima_ns is allocated and freed upon IMA namespace creation and exit. > Currently, the ima_ns contains no

[RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-09 Thread Stefan Berger
From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. ima_ns is allocated and freed upon IMA namespace creation and exit. Currently, the ima_ns contains no useful IMA data but

[RFC PATCH v2 1/3] ima: extend clone() with IMA namespace support

2018-03-09 Thread Stefan Berger
From: Yuqiong Sun Add new CONFIG_IMA_NS config option. Let clone() create a new IMA namespace upon CLONE_NEWNS flag. Add ima_ns data structure in nsproxy. ima_ns is allocated and freed upon IMA namespace creation and exit. Currently, the ima_ns contains no useful IMA data but only a dummy