From 4b29c738e0b3590b641f630c14b547d58144e460 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Thu, 18 May 2017 13:04:16 -0600 Subject: [PATCH] projects: add a blurb about ima namespacing Signed-off-by: Tycho Andersen --- projects/ima-namespace/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/projects/ima-namespace/README.md b/projects/ima-namespace/README.md index d6d12a767..5c68f5a80 100644 --- a/projects/ima-namespace/README.md +++ b/projects/ima-namespace/README.md @@ -1,3 +1,16 @@ +## IMA + +IMA stands for Integrity Management Architecture. The basic idea is to prevent +userspace from even *opening* files that have been mutated, by tracking file +content via a hash in the `security.ima` extended attribute. IMA supports +keeping track of these hashes and signing the result via the TPM, and a host of +other features. + +Today, this is not namespace aware, so there is no way to differentiate in +IMA's appraisal output between files in one mount namespace vs another, which +makes this not particularly useful for container engines. The goal of this +patchset is to make IMA namespace aware. + ## IMA namespace patches These are draft patches for an implementation of IMA namespacing. They are