Skip to content

Conversation

@IlyaHanov
Copy link

The Linux kernel community is now working on supporting IMA namespaces
and it is almost done. It is a new kernel feature that allows isolation of Platform Configuration Register (PCR) values, Measurement Logs (ML), etc. The related issue is #1163.

Signed-off-by: Ilya Hanov [email protected]

Advanced Software Technology Lab
Huawei

Add an IMA namespace field for containers
to be able to create IMA namespace using json configuration

Signed-off-by: Ilya Hanov <[email protected]>
// UserNamespace for isolating user and group IDs
UserNamespace LinuxNamespaceType = "user"
// ImaNamespace for isolating PCR values
ImaNamespace LinuxNamespaceType = "ima"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda
Copy link
Member

Let me mark this as a draft, until the kernel patch gets merged into the upstream

@AkihiroSuda AkihiroSuda marked this pull request as draft October 18, 2022 13:48
@tianon
Copy link
Member

tianon commented Oct 18, 2022

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

@DenisSemakin
Copy link

DenisSemakin commented Oct 19, 2022

IMO this is a little bit premature...

I think it's Yes and No simultaneously... Of course, the IMA namespace feature is not merged in kernel mainline and may be will not for some time.
But the way how to launch (activate) IMA namespace for given user namespace is stable ... more or less. Basically, this is the attempt to use IMA-ns in runC if the feature would be merged in kernel upstream and find out a number of problems and issues with this way.

@IlyaHanov
Copy link
Author

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

Yes, you're right in a way, IMA namespaces is not in upstream, but there's another interesting problem with runC. This is related to why IMA namespace uses securityFS to create namespaces, but runC doesn't know about namespaces which are created not by using clone/unshare at all. This patchset (one for runC, one for runtime-spec) presented not only IMA namespace creation scheme, but tries to solve this problem as well, because if kernel community decides to invent another namespace, sooner or later this problem will show up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants