Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/30/2021 9:41 AM, Stefan Berger wrote:

On 11/30/21 12:27, Casey Schaufler wrote:
On 11/30/2021 8:06 AM, Stefan Berger wrote:
From: Denis Semakin <denis.semakin@xxxxxxxxxx>

This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
to setup IMA (Integrity Measurement Architecture) policies per container
for non-root users.

Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.

Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA?

Yes. That would be completely consistent with the intention and the
Smack implementation.


   Stefan





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux