Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

From: Casey Schaufler
Date: Tue Nov 30 2021 - 12:50:31 EST

Next message: Ian Rogers: "[PATCH v3 1/2] perf evlist: Allow setting arbitrary leader"
Previous message: Adam Thomson: "RE: [PATCH v2 3/4] dt-bindings: watchdog: da9062: add watchdog timeout mode"
In reply to: Stefan Berger: "Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN"
Next in thread: Stefan Berger: "[RFC 04/20] ima: Move delayed work queue and variables into ima_namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/30/2021 9:41 AM, Stefan Berger wrote:

On 11/30/21 12:27, Casey Schaufler wrote:

On 11/30/2021 8:06 AM, Stefan Berger wrote:

From: Denis Semakin <denis.semakin@xxxxxxxxxx>

This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.

Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.

Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA?

Yes. That would be completely consistent with the intention and the
Smack implementation.

Stefan

Next message: Ian Rogers: "[PATCH v3 1/2] perf evlist: Allow setting arbitrary leader"
Previous message: Adam Thomson: "RE: [PATCH v2 3/4] dt-bindings: watchdog: da9062: add watchdog timeout mode"
In reply to: Stefan Berger: "Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN"
Next in thread: Stefan Berger: "[RFC 04/20] ima: Move delayed work queue and variables into ima_namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]