[RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

Stefan Berger stefanb at linux.ibm.com
Tue Nov 30 17:41:43 UTC 2021


On 11/30/21 12:27, Casey Schaufler wrote:
> On 11/30/2021 8:06 AM, Stefan Berger wrote:
>> From: Denis Semakin <denis.semakin at huawei.com>
>>
>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
>> to setup IMA (Integrity Measurement Architecture) policies per container
>> for non-root users.
>
> Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
> is system security administration. It seems to fit your needs.
> I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
> it would be completely appropriate.

Fine by me. I suppose we could be reusing it later on also for setting 
file extended attributes for IMA?

    Stefan




More information about the Linux-security-module-archive mailing list