[RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN
Casey Schaufler
casey at schaufler-ca.com
Tue Nov 30 17:50:14 UTC 2021
On 11/30/2021 9:41 AM, Stefan Berger wrote:
>
> On 11/30/21 12:27, Casey Schaufler wrote:
>> On 11/30/2021 8:06 AM, Stefan Berger wrote:
>>> From: Denis Semakin <denis.semakin at huawei.com>
>>>
>>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
>>> to setup IMA (Integrity Measurement Architecture) policies per container
>>> for non-root users.
>>
>> Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
>> is system security administration. It seems to fit your needs.
>> I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
>> it would be completely appropriate.
>
> Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA?
Yes. That would be completely consistent with the intention and the
Smack implementation.
>
> Stefan
>
>
More information about the Linux-security-module-archive
mailing list