From: Mimi Zohar <zohar@linux.ibm.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: linux-integrity@vger.kernel.org
Subject: Re: CAP_SYS_ADMIN requirement for updating IMA metadata
Date: Wed, 22 May 2019 11:19:21 -0400 [thread overview]
Message-ID: <1558538361.4347.35.camel@linux.ibm.com> (raw)
In-Reply-To: <6FC12520-1B2F-46E8-B9B5-05FEA3147688@oracle.com>
On Wed, 2019-05-22 at 10:54 -0400, Chuck Lever wrote:
> Hi Mimi-
>
> I'm working on a section of draft-ietf-nfsv4-integrity-measurement that
> discusses what kind of access permission is necessary to update a file's
> IMA metadata. This is needed because every NFS operation has an associated
> user ID -- an NFS server implementer needs to know which users are allowed
> to alter the IMA metadata.
>
> On Linux, because the metadata is stored in "security.ima", CAP_SYS_ADMIN
> is required.
>
> But on other NFS server implementations (ones that might not have a
> capabilities system), IMA metadata could be stored via a mechanism that
> does not require any special permission.
>
> And, it seems to me that if a user can alter the file content, there is
> no additional harm in her being allowed to update the IMA metadata.
>
> Is there an architectural reason, other than that Linux stores IMA metadata
> in a security.* xattr, for requiring a superuser privilege to update IMA
> metadata?
security.ima may contain either a file hash or signature. The file
hash should be protected via security.evm.[1] Allowing anyone to
update the file hash would defeat its purpose.
Mimi
[1] Refer to Roberto's proposed change "[PATCH 3/4] ima: don't ignore
INTEGRITY_UNKNOWN EVM status"
next prev parent reply other threads:[~2019-05-22 15:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 14:54 CAP_SYS_ADMIN requirement for updating IMA metadata Chuck Lever
2019-05-22 15:19 ` Mimi Zohar [this message]
2019-05-22 15:49 ` Chuck Lever
2019-05-23 13:25 ` Mimi Zohar
2019-05-30 17:34 ` Chuck Lever
2019-05-30 22:40 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1558538361.4347.35.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=chuck.lever@oracle.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.