Re: [RFC v2 15/19] capabilities: Introduce CAP_INTEGRITY_ADMIN

[Stefan Berger]

On 12/3/21 11:40, Casey Schaufler wrote:
> On 12/2/2021 6:31 PM, Stefan Berger wrote:
> > From: Denis Semakin <denis.semakin@xxxxxxxxxx>
> >
> > This patch introduces CAP_INTEGRITY_ADMIN, a new capability that allows
> > to setup IMA (Integrity Measurement Architecture) policies per container
> > for non-root users.
> >
> > The main purpose of this new capability is discribed in this document:
> > https://kernsec.org/wiki/index.php/IMA_Namespacing_design_considerations
> > It is said: "setting the policy should be possibly without the powerful
> > CAP_SYS_ADMIN and there should be the opportunity to gate this with a 
> > new
> > capability CAP_INTEGRITY_ADMIN that allows a user to set the IMA policy
> > during container runtime.."
> >
> > In other words it should be possible to setup IMA policies while not
> > giving too many privilges to the user, therefore splitting the
> > CAP_INTEGRITY_ADMIN off from CAP_SYS_ADMIN.
>
> Please use CAP_MAC_ADMIN, as discussed on the previous submission.

I wasn't clear on consensus. But sure, let's go with CAP_MAC_ADMIN.

   Stefan