On 15-10-20 09:03:19, Mimi Zohar wrote: > On Tue, 2015-10-20 at 15:10 +0300, Petko Manolov wrote: > > > > By "security hole" i mean being able to read it at all. Root or non-root. > > Knowing what the IMA policy is may give the attacker an idea how to > > circumvent it. I used stronger words in order to attract the user's > > attention and consider carefully what the implications are when enabling > > this option. > > > > However, i do not insist on keeping this comment. I will remove it or > > re-word it if you think it is nonsensical in it's present form. > > > > BTW, i still think it is a good idea that only the root user have access to > > the IMA policy. Unless i hear otherwise i am planning to keep the current > > functionality. > > Exactly! Because only privileged users (eg. root) have access to securityfs > files, I don't see the security concern.
OK, so i'll remove the scary warning. :) > > > Since responding, I've enabled this feature. Very nice! > > > > Have you tried it? > > Yes, being able to see the existing policy is nice. > > BTW, I haven't compared this patch with the original one yet. Unless there > were so many changes so that it isn't the same patch anymore, the patch > author > should be Zbigniew JasiĆski <z.jasin...@samsung.com>. Any changes you made > would be listed in the change log. The patch is modified significantly, but not to the point to be a new one. The changes mostly address your comments about using raw strings instead of those that already exist. I feel that there's more to be done there, but will wait for you to review it first. Unfortunately i never heard from Zbigniew even though he's copied in this thread since the beginning. I would very much like to hear his comments. Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html