4 Jun
2019
4 Jun
'19
8:57 a.m.
On Mon, 2019-06-03 at 16:44 +0200, Roberto Sassu wrote:
On 6/3/2019 4:31 PM, James Bottomley wrote:
On Mon, 2019-06-03 at 16:29 +0200, Roberto Sassu wrote:
[...]
How would you prevent root in the container from updating security.ima?
We don't. We only guarantee immutability for unprivileged containers, so root can't be inside.
Ok.
Regarding the new behavior, this must be explicitly enabled by adding ima_appraise=enforce-evm or log-evm to the kernel command line. Otherwise, the current behavior is preserved with this patch. Would this be ok?
Sure, as long as it's an opt-in flag, meaning the behaviour of my kernels on physical cloud systems doesn't change as I upgrade them, I'm fine with that.
James