[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e482c499-8bff-72c8-bbda-1ecc5a7f3452@schaufler-ca.com>
Date: Tue, 30 Nov 2021 09:27:30 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: Stefan Berger <stefanb@...ux.ibm.com>,
linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
Denis Semakin <denis.semakin@...wei.com>,
Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN
On 11/30/2021 8:06 AM, Stefan Berger wrote:
> From: Denis Semakin <denis.semakin@...wei.com>
>
> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
> to setup IMA (Integrity Measurement Architecture) policies per container
> for non-root users.
Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope
is system security administration. It seems to fit your needs.
I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using
it would be completely appropriate.
>
> The main purpose of this new capability is discribed in this document:
> https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
> It is said: "setting the policy should be possibly without the powerful
> CAP_SYS_ADMIN and there should be the opportunity to gate this with a new
> capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
> during container runtime.."
>
> In other words it should be possible to setup IMA policies while not
> giving too many privilges to the user, therefore splitting the
> CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
>
> Signed-off-by: Denis Semakin <denis.semakin@...wei.com>
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> ---
> include/linux/capability.h | 6 ++++++
> include/uapi/linux/capability.h | 7 ++++++-
> security/selinux/include/classmap.h | 4 ++--
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 65efb74c3585..ea6d58acb95e 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -278,4 +278,10 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
> int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
> const void **ivalue, size_t size);
>
> +static inline bool integrity_admin_ns_capable(struct user_namespace *ns)
> +{
> + return ns_capable(ns, CAP_INTEGRITY_ADMIN) ||
> + ns_capable(ns, CAP_SYS_ADMIN);
> +}
> +
> #endif /* !_LINUX_CAPABILITY_H */
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 463d1ba2232a..48b08e4b3895 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -417,7 +417,12 @@ struct vfs_ns_cap_data {
>
> #define CAP_CHECKPOINT_RESTORE 40
>
> -#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE
> +/* Allow setup IMA policy per container independently */
> +/* No necessary to be superuser */
> +
> +#define CAP_INTEGRITY_ADMIN 41
> +
> +#define CAP_LAST_CAP CAP_INTEGRITY_ADMIN
>
> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 35aac62a662e..7ff532b90f09 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -28,9 +28,9 @@
>
> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
> "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
> - "checkpoint_restore"
> + "checkpoint_restore", "integrity_admin"
>
> -#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
> +#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN
> #error New capability defined, please update COMMON_CAP2_PERMS.
> #endif
>
Powered by blists - more mailing lists