Re: [Linux-ima-user] [PATCH 0/1] EVM/IMA xattr hardening and unprivileged user ns mounts

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2016-09-01 at 08:22 -0500, Seth Forshee wrote:

> I've been reading back through all of this, and I'm not sure any
> conclusion was reached.

> For my part, I'm uneasy about writing out hmacs to mounts from a
> non-root user. So I'll make a proposal - let's not read or write EVM or
> IMA xattrs for filesystems from non-init user namespace, essentially
> behaving as though they don't support xattrs. Something like the
> (untested) patch below.

This really doesn't sound like the right long term solution.  The
kernel, as well as root in the namespace, should write the EVM and IMA
security xattrs, as long as their usage is limited to the uid/gid
associated with that user_ns namespace.

In terms of the USB stick scenario, instead of security.evm containing
HMACs, they would need to be replaced with signatures, before using it
on another system.  Refer to the ima-evm-utils package for writing out
security.evm signatures.

Mimi