ima: Extend permissions to the ima securityfs entries
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- Add "others" permissions to the namespaced ima securityfs entries. It is necessary so that the root in the user namespace that is the parent of the given ima namespace has access to the ima related data. Loosened DAC restrictrions are compensated by an extra check for SYS_ADMIN capabilities in the ima code. The access is given only to the namespaced data, e.g. root user in the new ima namespace will see measurement list entries collected for that namespace and not for the other existing namespaces. The only exception is made for the admin in the initial user namespace, who has access to all the data. Signed-off-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by: NZhang Tianxing <zhangtianxing3@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
Showing
想要评论请 注册 或 登录