Skip to content

[RFC]: IMA Namespace support#1164

Draft
IlyaHanov wants to merge 1 commit intoopencontainers:mainfrom
IlyaHanov:ima-namespace
Draft

[RFC]: IMA Namespace support#1164
IlyaHanov wants to merge 1 commit intoopencontainers:mainfrom
IlyaHanov:ima-namespace

Conversation

@IlyaHanov
Copy link

@IlyaHanov IlyaHanov commented Oct 18, 2022

The Linux kernel community is now working on supporting IMA namespaces
and it is almost done. It is a new kernel feature that allows isolation of Platform Configuration Register (PCR) values, Measurement Logs (ML), etc. The related issue is #1163.

Signed-off-by: Ilya Hanov ilya.hanov@huawei-partners.com

Advanced Software Technology Lab
Huawei

@IlyaHanov
Support IMA namespace json configuration
3ddaa93 
Add an IMA namespace field for containers
to be able to create IMA namespace using json configuration

Signed-off-by: Ilya Hanov <ilya.hanov@huawei-partners.com>
AkihiroSuda
AkihiroSuda reviewed Oct 18, 2022
View reviewed changes
specs-go/config.go
// UserNamespace for isolating user and group IDs
UserNamespace LinuxNamespaceType = "user"
// ImaNamespace for isolating PCR values
ImaNamespace LinuxNamespaceType = "ima"
Copy link
Member

@AkihiroSuda AkihiroSuda Oct 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md needs to be updated too

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Oct 18, 2022

Let me mark this as a draft, until the kernel patch gets merged into the upstream

@AkihiroSuda AkihiroSuda marked this pull request as draft October 18, 2022 13:48
@tianon
Copy link
Member

tianon commented Oct 18, 2022

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

@DenisSemakin
Copy link

DenisSemakin commented Oct 19, 2022
edited
Loading

IMO this is a little bit premature...

I think it's Yes and No simultaneously... Of course, the IMA namespace feature is not merged in kernel mainline and may be will not for some time.
But the way how to launch (activate) IMA namespace for given user namespace is stable ... more or less. Basically, this is the attempt to use IMA-ns in runC if the feature would be merged in kernel upstream and find out a number of problems and issues with this way.

@IlyaHanov
Copy link
Author

IlyaHanov commented Oct 19, 2022

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

Yes, you're right in a way, IMA namespaces is not in upstream, but there's another interesting problem with runC. This is related to why IMA namespace uses securityFS to create namespaces, but runC doesn't know about namespaces which are created not by using clone/unshare at all. This patchset (one for runC, one for runtime-spec) presented not only IMA namespace creation scheme, but tries to solve this problem as well, because if kernel community decides to invent another namespace, sooner or later this problem will show up.

@rata rata mentioned this pull request Dec 29, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@crosbymichael crosbymichael Awaiting requested review from crosbymichael crosbymichael is a code owner

@cyphar cyphar Awaiting requested review from cyphar cyphar is a code owner

@dqminh dqminh Awaiting requested review from dqminh dqminh is a code owner

@giuseppe giuseppe Awaiting requested review from giuseppe giuseppe is a code owner

@hqhq hqhq Awaiting requested review from hqhq hqhq is a code owner

@kolyshkin kolyshkin Awaiting requested review from kolyshkin kolyshkin is a code owner

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@thaJeztah thaJeztah Awaiting requested review from thaJeztah thaJeztah is a code owner

@tianon tianon Awaiting requested review from tianon tianon is a code owner

@vbatts vbatts Awaiting requested review from vbatts

@utam0k utam0k Awaiting requested review from utam0k utam0k will be requested when the pull request is marked ready for review utam0k is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@IlyaHanov @AkihiroSuda @tianon @DenisSemakin