Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

From: Stefan Berger
Date: Tue Nov 30 2021 - 12:42:25 EST



On 11/30/21 12:27, Casey Schaufler wrote:
On 11/30/2021 8:06 AM, Stefan Berger wrote:
From: Denis Semakin <denis.semakin@xxxxxxxxxx>

This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.

Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.

Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA?

   Stefan