On 12/3/21 11:40, Casey Schaufler wrote:
On 12/2/2021 6:31 PM, Stefan Berger wrote:
From: Denis Semakin <denis.semakin@xxxxxxxxxx>
This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.
The main purpose of this new capability is discribed in this document:
https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
It is said: "setting the policy should be possibly without the powerful
CAP_SYS_ADMIN and there should be the opportunity to gate this with a
new
capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
during container runtime.."
In other words it should be possible to setup IMA policies while not
giving too many privilges to the user, therefore splitting the
CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
Please use CAP_MAC_ADMIN, as discussed on the previous submission.
I wasn't clear on consensus. But sure, let's go with CAP_MAC_ADMIN.
Stefan
