[v3,16/16] ima: Setup securityfs for IMA namespace

Message ID	20211206172600.1495968-17-stefanb@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> From: Stefan Berger <stefanb@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>, James Bottomley <James.Bottomley@HansenPartnership.com> Subject: [PATCH v3 16/16] ima: Setup securityfs for IMA namespace Date: Mon, 6 Dec 2021 12:26:00 -0500 Message-Id: <20211206172600.1495968-17-stefanb@linux.ibm.com> In-Reply-To: <20211206172600.1495968-1-stefanb@linux.ibm.com> References: <20211206172600.1495968-1-stefanb@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	ima: Namespace IMA with audit support in IMA-ns \| expand [v3,00/16] ima: Namespace IMA with audit support in IMA-ns [v3,01/16] ima: Add IMA namespace support [v3,02/16] ima: Define ns_status for storing namespaced iint data [v3,03/16] ima: Namespace audit status flags [v3,04/16] ima: Move delayed work queue and variables into ima_namespace [v3,05/16] ima: Move IMA's keys queue related variables into ima_namespace [v3,06/16] ima: Move policy related variables into ima_namespace [v3,07/16] ima: Move ima_htable into ima_namespace [v3,08/16] ima: Move measurement list related variables into ima_namespace [v3,09/16] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now [v3,10/16] ima: Implement hierarchical processing of file accesses [v3,11/16] securityfs: Move vfsmount into user_namespace [v3,12/16] securityfs: Extend securityfs with namespacing support [v3,13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace [v3,14/16] ima: Use mac_admin_ns_capable() to check corresponding capability [v3,15/16] ima: Move dentries into ima_namespace [v3,16/16] ima: Setup securityfs for IMA namespace

Message ID

20211206172600.1495968-17-stefanb@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
        christian.brauner@ubuntu.com, containers@lists.linux.dev,
        dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
        krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
        mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
        puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
        linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        Stefan Berger <stefanb@linux.ibm.com>,
        James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH v3 16/16] ima: Setup securityfs for IMA namespace
Date: Mon,  6 Dec 2021 12:26:00 -0500
Message-Id: <20211206172600.1495968-17-stefanb@linux.ibm.com>
In-Reply-To: <20211206172600.1495968-1-stefanb@linux.ibm.com>
References: <20211206172600.1495968-1-stefanb@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

ima: Namespace IMA with audit support in IMA-ns | expand

Commit Message

Stefan Berger Dec. 6, 2021, 5:26 p.m. UTC

Setup securityfs with symlinks, directories, and files for IMA
namespacing support. The same directory structure that IMA uses on the
host is also created for the namespacing case.

The securityfs file and directory ownerships cannot be set when the
IMA namespace is initialized. Therefore, delay the setup of the file
system to a later point when securityfs initializes the fs_context.
Use securityfs_register_ns_notifier() to register a notifier for
populating the filsystem late.

This filesystem can now be mounted as follows:

mount -t securityfs /sys/kernel/security/ /sys/kernel/security/

The following directories, symlinks, and files are then available.

$ ls -l sys/kernel/security/
total 0
lr--r--r--. 1 root root 0 Dec  2 00:18 ima -> integrity/ima
drwxr-xr-x. 3 root root 0 Dec  2 00:18 integrity

$ ls -l sys/kernel/security/ima/
total 0
-r--r-----. 1 root root 0 Dec  2 00:18 ascii_runtime_measurements
-r--r-----. 1 root root 0 Dec  2 00:18 binary_runtime_measurements
-rw-------. 1 root root 0 Dec  2 00:18 policy
-r--r-----. 1 root root 0 Dec  2 00:18 runtime_measurements_count
-r--r-----. 1 root root 0 Dec  2 00:18 violations

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 include/linux/ima.h             |  3 ++-
 security/integrity/ima/ima_fs.c | 46 ++++++++++++++++++++++++++++++---
 2 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index bfb978a7f8d5..cab5fc6caeb3 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -221,7 +221,8 @@  struct ima_h_table {
 };
 
 enum {
-	IMAFS_DENTRY_DIR = 0,
+	IMAFS_DENTRY_INTEGRITY_DIR = 0,
+	IMAFS_DENTRY_DIR,
 	IMAFS_DENTRY_SYMLINK,
 	IMAFS_DENTRY_BINARY_RUNTIME_MEASUREMENTS,
 	IMAFS_DENTRY_ASCII_RUNTIME_MEASUREMENTS,
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index c2a886c00ac2..c17a6b7eeb95 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -456,12 +456,25 @@  static void ima_fs_ns_free_dentries(struct ima_namespace *ns)
 	memset(ns->dentry, 0, sizeof(ns->dentry));
 }
 
-static int __init ima_fs_ns_init(struct user_namespace *user_ns)
+static int ima_fs_ns_init(struct user_namespace *user_ns)
 {
 	struct ima_namespace *ns = user_ns->ima_ns;
 	struct dentry *ima_dir;
 
-	ns->dentry[IMAFS_DENTRY_DIR] = securityfs_create_dir("ima", integrity_dir);
+	/* already initialized? */
+	if (ns->dentry[IMAFS_DENTRY_INTEGRITY_DIR])
+		return 0;
+
+	/* FIXME: update when evm and integrity are namespaced */
+	if (user_ns != &init_user_ns)
+		ns->dentry[IMAFS_DENTRY_INTEGRITY_DIR] =
+			securityfs_create_dir("integrity", NULL);
+	else
+		ns->dentry[IMAFS_DENTRY_INTEGRITY_DIR] = integrity_dir;
+
+	ns->dentry[IMAFS_DENTRY_DIR] =
+	    securityfs_create_dir("ima",
+				  ns->dentry[IMAFS_DENTRY_INTEGRITY_DIR]);
 	if (IS_ERR(ns->dentry[IMAFS_DENTRY_DIR]))
 		return -1;
 	ima_dir = ns->dentry[IMAFS_DENTRY_DIR];
@@ -511,7 +524,34 @@  static int __init ima_fs_ns_init(struct user_namespace *user_ns)
 	return -1;
 }
 
-int __init ima_fs_init(void)
+static int ima_ns_notify(struct notifier_block *this, unsigned long msg,
+			    void *data)
 {
+	int rc = 0;
+	struct user_namespace *user_ns = data;
+
+	switch (msg) {
+	case SECURITYFS_NS_ADD:
+		rc = ima_fs_ns_init(user_ns);
+		break;
+	case SECURITYFS_NS_REMOVE:
+		ima_fs_ns_free_dentries(user_ns->ima_ns);
+		break;
+	}
+	return rc;
+}
+
+static struct notifier_block ima_ns_notifier = {
+	.notifier_call = ima_ns_notify,
+};
+
+int ima_fs_init()
+{
+	int rc;
+
+	rc = securityfs_register_ns_notifier(&ima_ns_notifier);
+	if (rc)
+		return rc;
+
 	return ima_fs_ns_init(&init_user_ns);
 }

[v3,16/16] ima: Setup securityfs for IMA namespace

Commit Message

Patch