On 2/6/22 12:20, Stefan Berger wrote:
On 2/5/22 00:58, Serge E. Hallyn wrote:
On Tue, Feb 01, 2022 at 03:37:20PM -0500, Stefan Berger wrote:
Define mac_admin_ns_capable() as a wrapper for the combined
ns_capable()
checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return
true on the check if either capability or both are available.
Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will
allow
an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has
less privileges than CAP_SYS_ADMIN.
Signed-off-by: Denis Semakin <denis.semakin@xxxxxxxxxx>
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
include/linux/capability.h | 6 ++++++
security/integrity/ima/ima.h | 6 ++++++
security/integrity/ima/ima_fs.c | 5 ++++-
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -270,6 +270,12 @@ static inline bool
checkpoint_restore_ns_capable(struct user_namespace *ns)
ns_capable(ns, CAP_SYS_ADMIN);
}
+static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+ return ns_capable(ns, CAP_MAC_ADMIN) ||
+ ns_capable(ns, CAP_SYS_ADMIN);
Do you care about audit warnings? If the task has CAP_SYS_ADMIN but
not CAP_MAC_ADMIN, is it desirable that selinux_capable() will audit the
CAP_MAC_ADMIN failure?
Good point. I will switch both to ns_capable_noaudit() so that the
user cannot provoke unnecessary audit message.
Actually, I will only change the MAC_ADMIN to not do auditing and not
change the auditing behavior related to SYS_ADMIN.
Stefan
