[RFC v2 16/19] ima: Use integrity_admin_ns_capable() to check corresponding capability
Stefan Berger
stefanb at linux.ibm.com
Fri Dec 3 02:31:15 UTC 2021
Use integrity_admin_ns_capable() to check corresponding capability to
allow read/write IMA policy without CAP_SYS_ADMIN but with
CAP_INTEGRITY_ADMIN.
Signed-off-by: Denis Semakin <denis.semakin at huawei.com>
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
security/integrity/ima/ima_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 6c86f81c9998..6766bb8262f2 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -393,7 +393,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
#else
if ((filp->f_flags & O_ACCMODE) != O_RDONLY)
return -EACCES;
- if (!capable(CAP_SYS_ADMIN))
+ if (!integrity_admin_ns_capable(ns->user_ns))
return -EPERM;
return seq_open(filp, &ima_policy_seqops);
#endif
--
2.31.1
More information about the Linux-security-module-archive
mailing list