On 2/6/22 12:20, Stefan Berger wrote:

On 2/5/22 00:58, Serge E. Hallyn wrote:

quoted

On Tue, Feb 01, 2022 at 03:37:20PM -0500, Stefan Berger wrote:

quoted

Define mac_admin_ns_capable() as a wrapper for the combined 
ns_capable()
checks on CAP_MAC_ADMIN and CAP_SYS_ADMIN in a user namespace. Return
true on the check if either capability or both are available.

Use mac_admin_ns_capable() in place of capable(SYS_ADMIN). This will 
allow
an IMA namespace to read the policy with only CAP_MAC_ADMIN, which has
less privileges than CAP_SYS_ADMIN.

Signed-off-by: Denis Semakin <redacted>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
  include/linux/capability.h      | 6 ++++++
  security/integrity/ima/ima.h    | 6 ++++++
  security/integrity/ima/ima_fs.c | 5 ++++-
  3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 65efb74c3585..991579178f32 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h

@@ -270,6 +270,12 @@ static inline bool 

checkpoint_restore_ns_capable(struct user_namespace *ns)
          ns_capable(ns, CAP_SYS_ADMIN);
  }
  +static inline bool mac_admin_ns_capable(struct user_namespace *ns)
+{
+    return ns_capable(ns, CAP_MAC_ADMIN) ||
+        ns_capable(ns, CAP_SYS_ADMIN);

Do you care about audit warnings?  If the task has CAP_SYS_ADMIN but
not CAP_MAC_ADMIN, is it desirable that selinux_capable() will audit the
CAP_MAC_ADMIN failure?

Good point.  I will switch both to ns_capable_noaudit() so that the 
user cannot provoke unnecessary audit message.

Actually,  I will only change the MAC_ADMIN to not do auditing and not 
change the auditing behavior related to SYS_ADMIN.

    Stefan