Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC]: IMA Namespace support #1164

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[RFC]: IMA Namespace support #1164

wants to merge 1 commit into from
+2 −0

Conversation

IlyaHanov
Copy link

The Linux kernel community is now working on supporting IMA namespaces
and it is almost done. It is a new kernel feature that allows isolation of Platform Configuration Register (PCR) values, Measurement Logs (ML), etc. The related issue is #1163.

Signed-off-by: Ilya Hanov ilya.hanov@huawei-partners.com

Advanced Software Technology Lab
Huawei

@IlyaHanov
Support IMA namespace json configuration
3ddaa93 
Add an IMA namespace field for containers
to be able to create IMA namespace using json configuration

Signed-off-by: Ilya Hanov <ilya.hanov@huawei-partners.com>
AkihiroSuda
AkihiroSuda reviewed Oct 18, 2022
View reviewed changes
specs-go/config.go
@@ -218,6 +218,8 @@ const (
UTSNamespace LinuxNamespaceType = "uts"
// UserNamespace for isolating user and group IDs
UserNamespace LinuxNamespaceType = "user"
// ImaNamespace for isolating PCR values
ImaNamespace LinuxNamespaceType = "ima"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md needs to be updated too

@AkihiroSuda
Copy link
Member

Let me mark this as a draft, until the kernel patch gets merged into the upstream

@AkihiroSuda AkihiroSuda marked this pull request as draft October 18, 2022 13:48
@tianon
Copy link
Member

tianon commented Oct 18, 2022

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

@DenisSemakin
Copy link

DenisSemakin commented Oct 19, 2022
edited
Loading

IMO this is a little bit premature...

I think it's Yes and No simultaneously... Of course, the IMA namespace feature is not merged in kernel mainline and may be will not for some time.
But the way how to launch (activate) IMA namespace for given user namespace is stable ... more or less. Basically, this is the attempt to use IMA-ns in runC if the feature would be merged in kernel upstream and find out a number of problems and issues with this way.

@IlyaHanov
Copy link
Author

IMO this is a little bit premature -- ideally this functionality would be at least merged into the kernel (if not in an actual released version) before we implement or discuss it in this context. What I would suggest in the future would be a posting to the OCI dev mailing list, OCI #general channel on Slack, etc if your goal is to get folks from the OCI aware of and potentially involved in the upstream kernel discussions.

Yes, you're right in a way, IMA namespaces is not in upstream, but there's another interesting problem with runC. This is related to why IMA namespace uses securityFS to create namespaces, but runC doesn't know about namespaces which are created not by using clone/unshare at all. This patchset (one for runC, one for runtime-spec) presented not only IMA namespace creation scheme, but tries to solve this problem as well, because if kernel community decides to invent another namespace, sooner or later this problem will show up.

@rata rata mentioned this pull request Dec 29, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@crosbymichael crosbymichael Awaiting requested review from crosbymichael crosbymichael is a code owner

@cyphar cyphar Awaiting requested review from cyphar cyphar is a code owner

@dqminh dqminh Awaiting requested review from dqminh dqminh is a code owner

@giuseppe giuseppe Awaiting requested review from giuseppe giuseppe is a code owner

@hqhq hqhq Awaiting requested review from hqhq hqhq is a code owner

@kolyshkin kolyshkin Awaiting requested review from kolyshkin kolyshkin is a code owner

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@thaJeztah thaJeztah Awaiting requested review from thaJeztah thaJeztah is a code owner

@tianon tianon Awaiting requested review from tianon tianon is a code owner

@vbatts vbatts Awaiting requested review from vbatts

@utam0k utam0k Awaiting requested review from utam0k utam0k will be requested when the pull request is marked ready for review utam0k is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@IlyaHanov @AkihiroSuda @tianon @DenisSemakin