Message ID | 20211130160654.1418231-16-stefanb@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima: Namespace IMA with audit support in IMA-ns | expand |
On 11/30/2021 8:06 AM, Stefan Berger wrote: > From: Denis Semakin <denis.semakin@huawei.com> > > This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows > to setup IMA (Integrity Measurement Architecture) policies per container > for non-root users. Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope is system security administration. It seems to fit your needs. I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using it would be completely appropriate. > > The main purpose of this new capability is discribed in this document: > https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations > It is said: "setting the policy should be possibly without the powerful > CAP_SYS_ADMIN and there should be the opportunity to gate this with a new > capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy > during container runtime.." > > In other words it should be possible to setup IMA policies while not > giving too many privilges to the user, therefore splitting the > CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN. > > Signed-off-by: Denis Semakin <denis.semakin@huawei.com> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > include/linux/capability.h | 6 ++++++ > include/uapi/linux/capability.h | 7 ++++++- > security/selinux/include/classmap.h | 4 ++-- > 3 files changed, 14 insertions(+), 3 deletions(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index 65efb74c3585..ea6d58acb95e 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -278,4 +278,10 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, > int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, > const void **ivalue, size_t size); > > +static inline bool integrity_admin_ns_capable(struct user_namespace *ns) > +{ > + return ns_capable(ns, CAP_INTEGRITY_ADMIN) || > + ns_capable(ns, CAP_SYS_ADMIN); > +} > + > #endif /* !_LINUX_CAPABILITY_H */ > diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h > index 463d1ba2232a..48b08e4b3895 100644 > --- a/include/uapi/linux/capability.h > +++ b/include/uapi/linux/capability.h > @@ -417,7 +417,12 @@ struct vfs_ns_cap_data { > > #define CAP_CHECKPOINT_RESTORE 40 > > -#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE > +/* Allow setup IMA policy per container independently */ > +/* No necessary to be superuser */ > + > +#define CAP_INTEGRITY_ADMIN 41 > + > +#define CAP_LAST_CAP CAP_INTEGRITY_ADMIN > > #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) > > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > index 35aac62a662e..7ff532b90f09 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -28,9 +28,9 @@ > > #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ > "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ > - "checkpoint_restore" > + "checkpoint_restore", "integrity_admin" > > -#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE > +#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN > #error New capability defined, please update COMMON_CAP2_PERMS. > #endif >
On 11/30/21 12:27, Casey Schaufler wrote: > On 11/30/2021 8:06 AM, Stefan Berger wrote: >> From: Denis Semakin <denis.semakin@huawei.com> >> >> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows >> to setup IMA (Integrity Measurement Architecture) policies per container >> for non-root users. > > Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope > is system security administration. It seems to fit your needs. > I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using > it would be completely appropriate. Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA? Stefan
On 11/30/2021 9:41 AM, Stefan Berger wrote: > > On 11/30/21 12:27, Casey Schaufler wrote: >> On 11/30/2021 8:06 AM, Stefan Berger wrote: >>> From: Denis Semakin <denis.semakin@huawei.com> >>> >>> This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows >>> to setup IMA (Integrity Measurement Architecture) policies per container >>> for non-root users. >> >> Why not use CAP_MAC_ADMIN? IMA is a mandatory policy. The scope >> is system security administration. It seems to fit your needs. >> I introduced CAP_MAC_ADMIN for Smack, and believe that IMA using >> it would be completely appropriate. > > Fine by me. I suppose we could be reusing it later on also for setting file extended attributes for IMA? Yes. That would be completely consistent with the intention and the Smack implementation. > > Stefan > >
diff --git a/include/linux/capability.h b/include/linux/capability.h index 65efb74c3585..ea6d58acb95e 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -278,4 +278,10 @@ int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, const void **ivalue, size_t size); +static inline bool integrity_admin_ns_capable(struct user_namespace *ns) +{ + return ns_capable(ns, CAP_INTEGRITY_ADMIN) || + ns_capable(ns, CAP_SYS_ADMIN); +} + #endif /* !_LINUX_CAPABILITY_H */ diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 463d1ba2232a..48b08e4b3895 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -417,7 +417,12 @@ struct vfs_ns_cap_data { #define CAP_CHECKPOINT_RESTORE 40 -#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE +/* Allow setup IMA policy per container independently */ +/* No necessary to be superuser */ + +#define CAP_INTEGRITY_ADMIN 41 + +#define CAP_LAST_CAP CAP_INTEGRITY_ADMIN #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 35aac62a662e..7ff532b90f09 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -28,9 +28,9 @@ #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ - "checkpoint_restore" + "checkpoint_restore", "integrity_admin" -#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE +#if CAP_LAST_CAP > CAP_INTEGRITY_ADMIN #error New capability defined, please update COMMON_CAP2_PERMS. #endif