From: Casey Schaufler <casey@schaufler-ca.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Denis Semakin <denis.semakin@huawei.com>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN
Date: Fri, 3 Dec 2021 08:40:50 -0800 [thread overview]
Message-ID: <2f145bcf-72a7-3697-0bce-f7a74e6ecc93@schaufler-ca.com> (raw)
In-Reply-To: <20211203023118.1447229-16-stefanb@linux.ibm.com>
On 12/2/2021 6:31 PM, Stefan Berger wrote:
> From: Denis Semakin <denis.semakin@huawei.com>
>
> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
> to setup IMA (Integrity Measurement Architecture) policies per container
> for non-root users.
>
> The main purpose of this new capability is discribed in this document:
> https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
> It is said: "setting the policy should be possibly without the powerful
> CAP_SYS_ADMIN and there should be the opportunity to gate this with a new
> capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
> during container runtime.."
>
> In other words it should be possible to setup IMA policies while not
> giving too many privilges to the user, therefore splitting the
> CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
Please use CAP_MAC_ADMIN, as discussed on the previous submission.
>
> Signed-off-by: Denis Semakin <denis.semakin@huawei.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> include/linux/capability.h | 6 ++++++
> include/uapi/linux/capability.h | 7 ++++++-
> security/selinux/include/classmap.h | 4 ++--
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 65efb74c3585..ea6d58acb95e 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -278,4 +278,10 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
> int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
> const void **ivalue, size_t size);
>
> +static inline bool integrity_admin_ns_capable(struct user_namespace *ns)
> +{
> + return ns_capable(ns, CAP_INTEGRITY_ADMIN) ||
> + ns_capable(ns, CAP_SYS_ADMIN);
> +}
> +
> #endif /* !_LINUX_CAPABILITY_H */
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 463d1ba2232a..48b08e4b3895 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -417,7 +417,12 @@ struct vfs_ns_cap_data {
>
> #define CAP_CHECKPOINT_RESTORE 40
>
> -#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE
> +/* Allow setup IMA policy per container independently */
> +/* No necessary to be superuser */
> +
> +#define CAP_INTEGRITY_ADMIN 41
> +
> +#define CAP_LAST_CAP CAP_INTEGRITY_ADMIN
>
> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 35aac62a662e..7ff532b90f09 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -28,9 +28,9 @@
>
> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
> "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
> - "checkpoint_restore"
> + "checkpoint_restore", "integrity_admin"
>
> -#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
> +#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN
> #error New capability defined, please update COMMON_CAP2_PERMS.
> #endif
>
next prev parent reply other threads:[~2021-12-03 16:40 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 2:30 [RFC v2 00/19] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-12-03 2:31 ` [RFC v2 01/19] ima: Add IMA namespace support Stefan Berger
2021-12-03 2:31 ` [RFC v2 02/19] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-12-03 2:31 ` [RFC v2 03/19] ima: Namespace audit status flags Stefan Berger
2021-12-03 2:31 ` [RFC v2 04/19] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-12-03 2:31 ` [RFC v2 05/19] ima: Move IMA's keys queue related " Stefan Berger
2021-12-03 2:31 ` [RFC v2 06/19] ima: Move policy " Stefan Berger
2021-12-03 2:31 ` [RFC v2 07/19] ima: Move ima_htable " Stefan Berger
2021-12-03 2:31 ` [RFC v2 08/19] ima: Move measurement list related variables " Stefan Berger
2021-12-03 2:31 ` [RFC v2 09/19] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-12-03 2:31 ` [RFC v2 10/19] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-12-03 2:31 ` [RFC v2 11/19] securityfs: Prefix global variables with securityfs_ Stefan Berger
2021-12-03 2:31 ` [RFC v2 12/19] securityfs: Pass static variables as parameters from top level functions Stefan Berger
2021-12-03 2:31 ` [RFC v2 13/19] securityfs: Extend securityfs with namespacing support Stefan Berger
2021-12-03 2:31 ` [RFC v2 14/19] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-12-03 2:31 ` [RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN Stefan Berger
2021-12-03 16:40 ` Casey Schaufler [this message]
2021-12-03 17:39 ` Stefan Berger
2021-12-03 2:31 ` [RFC v2 16/19] ima: Use integrity_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-03 2:31 ` [RFC v2 17/19] userns: Introduce a refcount variable for calling early teardown function Stefan Berger
2021-12-03 2:31 ` [RFC v2 18/19] ima/userns: Define early teardown function for IMA namespace Stefan Berger
2021-12-03 2:31 ` [RFC v2 19/19] ima: Setup securityfs " Stefan Berger
2021-12-03 15:07 ` Stefan Berger
2021-12-03 17:03 ` James Bottomley
2021-12-03 18:06 ` Stefan Berger
2021-12-03 18:50 ` James Bottomley
2021-12-03 19:11 ` Stefan Berger
2021-12-04 0:33 ` Stefan Berger
2021-12-06 11:52 ` Christian Brauner
2021-12-06 4:27 ` James Bottomley
2021-12-06 14:03 ` Stefan Berger
2021-12-06 14:11 ` James Bottomley
2021-12-06 17:22 ` Stefan Berger
2021-12-03 19:37 ` Casey Schaufler
2021-12-06 12:08 ` Christian Brauner
2021-12-06 13:38 ` James Bottomley
2021-12-06 14:13 ` Christian Brauner
2021-12-06 15:44 ` Christian Brauner
2021-12-06 16:25 ` James Bottomley
2021-12-06 14:11 ` Christian Brauner
2021-12-06 14:21 ` James Bottomley
2021-12-06 14:42 ` Christian Brauner
2021-12-06 14:51 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2f145bcf-72a7-3697-0bce-f7a74e6ecc93@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=denis.semakin@huawei.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox