[RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN
Stefan Berger
stefanb at linux.ibm.com
Fri Dec 3 17:39:01 UTC 2021
On 12/3/21 11:40, Casey Schaufler wrote:
> On 12/2/2021 6:31 PM, Stefan Berger wrote:
>> From: Denis Semakin <denis.semakin at huawei.com>
>>
>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
>> to setup IMA (Integrity Measurement Architecture) policies per container
>> for non-root users.
>>
>> The main purpose of this new capability is discribed in this document:
>> https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
>> It is said: "setting the policy should be possibly without the powerful
>> CAP_SYS_ADMIN and there should be the opportunity to gate this with a
>> new
>> capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
>> during container runtime.."
>>
>> In other words it should be possible to setup IMA policies while not
>> giving too many privilges to the user, therefore splitting the
>> CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
>
> Please use CAP_MAC_ADMIN, as discussed on the previous submission.
I wasn't clear on consensus. But sure, let's go with CAP_MAC_ADMIN.
Stefan
More information about the Linux-security-module-archive
mailing list