On 15-10-20 09:03:19, Mimi Zohar wrote:
> On Tue, 2015-10-20 at 15:10 +0300, Petko Manolov wrote:
> >
> > By "security hole" i mean being able to read it at all. Root or non-root.
> > Knowing what the IMA policy is may give the attacker an idea how to
> > circumvent it. I used stronger words in order to attract the user's
> > attention and consider carefully what the implications are when enabling
> > this option.
> >
> > However, i do not insist on keeping this comment. I will remove it or
> > re-word it if you think it is nonsensical in it's present form.
> >
> > BTW, i still think it is a good idea that only the root user have access to
> > the IMA policy. Unless i hear otherwise i am planning to keep the current
> > functionality.
>
> Exactly! Because only privileged users (eg. root) have access to securityfs
> files, I don't see the security concern.
OK, so i'll remove the scary warning. :)
> > > Since responding, I've enabled this feature. Very nice!
> >
> > Have you tried it?
>
> Yes, being able to see the existing policy is nice.
>
> BTW, I haven't compared this patch with the original one yet. Unless there
> were so many changes so that it isn't the same patch anymore, the patch
> author
> should be Zbigniew JasiĆski <z.jasin...@samsung.com>. Any changes you made
> would be listed in the change log.
The patch is modified significantly, but not to the point to be a new one. The
changes mostly address your comments about using raw strings instead of those
that already exist. I feel that there's more to be done there, but will wait
for you to review it first.
Unfortunately i never heard from Zbigniew even though he's copied in this
thread
since the beginning. I would very much like to hear his comments.
Petko
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
