[Linux-ima-user] [RFC 0/2] security/integrity: Updates for user namespace mounts

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mimi,

Here's what I came up with based on our discussion about handling EVM
and IMA xattrs in mounts from non-init user namespaces. The updates are
fairly simple.

For EVM, refuse to verify or calculate a new hmac for filesystems
mounted from non-init user namespaces. Writing EVM xattrs from userspace
is already restricted to global CAP_SYS_ADMIN, and reading the xattrs
from userspace will still be allowed.

For IMA, allow CAP_SYS_ADMIN in s_user_ns to write xattrs.

Please let me know whether or not this lines up with what we discussed.

Thanks,
Seth

Seth Forshee (2):
  evm: Ignore EVM xattrs from user namespace mounts
  ima: Allow CAP_SYS_ADMIN in s_user_ns to write IMA xattrs

 security/integrity/evm/evm_crypto.c   | 2 +-
 security/integrity/evm/evm_main.c     | 3 +++
 security/integrity/ima/ima_appraise.c | 3 ++-
 3 files changed, 6 insertions(+), 2 deletions(-)