On Wed, 2019-05-22 at 10:54 -0400, Chuck Lever wrote: > Hi Mimi- > > I'm working on a section of draft-ietf-nfsv4-integrity-measurement that > discusses what kind of access permission is necessary to update a file's > IMA metadata. This is needed because every NFS operation has an associated > user ID -- an NFS server implementer needs to know which users are allowed > to alter the IMA metadata. > > On Linux, because the metadata is stored in "security.ima", CAP_SYS_ADMIN > is required. > > But on other NFS server implementations (ones that might not have a > capabilities system), IMA metadata could be stored via a mechanism that > does not require any special permission. > > And, it seems to me that if a user can alter the file content, there is > no additional harm in her being allowed to update the IMA metadata. > > Is there an architectural reason, other than that Linux stores IMA metadata > in a security.* xattr, for requiring a superuser privilege to update IMA > metadata? security.ima may contain either a file hash or signature. The file hash should be protected via security.evm.[1] Allowing anyone to update the file hash would defeat its purpose. Mimi [1] Refer to Roberto's proposed change "[PATCH 3/4] ima: don't ignore INTEGRITY_UNKNOWN EVM status"
