mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-12-07 08:34:38 +00:00
d80e880f28
This is a project with a v1 of the IMA namespacing patches. See the readme for details on use. Signed-off-by: Tycho Andersen <tycho@docker.com>
IMA namespace patches
These are draft patches for an implementation of IMA namespacing. They are currently a rebased version of the v1 set posted here 1.
Usage
Let's suppose you have some sensitive files owned by a particular user that you want to keep secure:
sensitive=/tmp/foo
user=71452
mkdir -p $(dirname $sensitive) && echo "hello" > $sensitive
chown $user $sensitive
To use IMA in the per-namespace mode, you need ima_appraise=enforce_ns on the kernel CLI (this is done in the yaml file). Then, the userspace interface looks something like this:
# create a new mount namespace
unshare -m
# enable per-ns policy for this new namespace
nsid=$(readlink /proc/self/ns/mnt | cut -c '6-15')
echo ${nsid} > /sys/kernel/security/ima/namespaces
# set the policy (we use tmpfs magic here since that's all that linuxkit
# has available to write to for this example)
TMPFS_MAGIC=0x01021994
printf "appraise fsmagic=$TMPFS_MAGIC fowner=$user\nappraise func=MODULE_CHECK" > /sys/kernel/security/ima/$nsid/policy
hash=$(echo -e "\x4$(openssl dgst -sha256 -binary $sensitive)")
setfattr -n security.ima -v "${hash}" $sensitive
And now you should be able to see things failing:
moby:/# echo foo > /tmp/foo
moby:/# cat /tmp/foo
[ 3233.681544] audit: type=1800 audit(1495131746.610:29): pid=384 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="invalid-hash" comm="cat" name="/tmp/foo" mnt_ns=4026532208 dev="tmpfs" ino=13105 res=0
cat: can't open '/tmp/foo': Permission denied