github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-20 01:29:07 +00:00
Code Issues Projects Releases Wiki Activity

projects: add a blurb about ima namespacing

Browse Source 
Signed-off-by: Tycho Andersen <tycho@docker.com>
This commit is contained in:
Tycho Andersen 2017-05-18 13:04:16 -06:00
parent d80e880f28
commit 4b29c738e0
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
projects/ima-namespace/README.md
View File

@ -1,3 +1,16 @@
## IMA
IMA stands for Integrity Management Architecture. The basic idea is to prevent
userspace from even *opening* files that have been mutated, by tracking file
content via a hash in the `security.ima` extended attribute. IMA supports
keeping track of these hashes and signing the result via the TPM, and a host of
other features.
Today, this is not namespace aware, so there is no way to differentiate in
IMA's appraisal output between files in one mount namespace vs another, which
makes this not particularly useful for container engines. The goal of this
patchset is to make IMA namespace aware.
## IMA namespace patches
These are draft patches for an implementation of IMA namespacing. They are