From 4b29c738e0b3590b641f630c14b547d58144e460 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@docker.com>
Date: Thu, 18 May 2017 13:04:16 -0600
Subject: [PATCH] projects: add a blurb about ima namespacing

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 projects/ima-namespace/README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/projects/ima-namespace/README.md b/projects/ima-namespace/README.md
index d6d12a767..5c68f5a80 100644
--- a/projects/ima-namespace/README.md
+++ b/projects/ima-namespace/README.md
@@ -1,3 +1,16 @@
+## IMA
+
+IMA stands for Integrity Management Architecture. The basic idea is to prevent
+userspace from even *opening* files that have been mutated, by tracking file
+content via a hash in the `security.ima` extended attribute. IMA supports
+keeping track of these hashes and signing the result via the TPM, and a host of
+other features.
+
+Today, this is not namespace aware, so there is no way to differentiate in
+IMA's appraisal output between files in one mount namespace vs another, which
+makes this not particularly useful for container engines. The goal of this
+patchset is to make IMA namespace aware.
+
 ## IMA namespace patches
 
 These are draft patches for an implementation of IMA namespacing. They are