• K
    ima: Introduce ima namespace · a8352473
    Krzysztof Struczynski 提交于
    hulk inclusion
    category: feature
    bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1
    CVE: NA
    
    --------------------------------
    
    IMA namespace wraps global ima resources in an abstraction, to enable ima
    to work with the containers. Currently, ima namespace contains no useful
    data but a dummy interface. IMA resources related to different aspects of
    IMA, namely IMA-audit, IMA-measurement, IMA-appraisal will be added in the
    following patches.
    
    The way how ima namespace is created is analogous to the time namespace:
    unshare(CLONE_NEWIMA) system call creates a new ima namespace but doesn't
    assign it to the current process. All children of the process will be born
    in the new ima namespace, or a process can use setns() system call to join
    the new ima namespace. Call to clone3(CLONE_NEWIMA) system call creates a
    new namespace, which the new process joins instantly.
    
    This scheme, allows to configure the new ima namespace before any process
    appears in it. If user initially unshares the new ima namespace, ima can
    be configured using ima entries in the securityfs. If user calls clone3()
    system call directly, the new ima namespace can be configured using clone
    arguments. To allow this, new securityfs entries have to be added, and
    structures clone_args and kernel_clone_args have to be extended.
    
    Early configuration is crucial. The new ima polices must apply to the
    first process in the new namespace, and the appraisal key has to be loaded
    beforehand.
    
    Add a new CONFIG_IMA_NS option to the kernel configuration, that enables
    one to create a new IMA namespace. IMA namespace functionality is disabled
    by default.
    Signed-off-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
    Reviewed-by: NZhang Tianxing <zhangtianxing3@huawei.com>
    Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
    a8352473
namespaces.c 4.3 KB