On Mon, 2019-06-03 at 16:44 +0200, Roberto Sassu wrote: > On 6/3/2019 4:31 PM, James Bottomley wrote: > > On Mon, 2019-06-03 at 16:29 +0200, Roberto Sassu wrote: [...] > > > How would you prevent root in the container from updating > > > security.ima? > > > > We don't. We only guarantee immutability for unprivileged > > containers, so root can't be inside. > > Ok. > > Regarding the new behavior, this must be explicitly enabled by adding > ima_appraise=enforce-evm or log-evm to the kernel command line. > Otherwise, the current behavior is preserved with this patch. Would > this be ok?
Sure, as long as it's an opt-in flag, meaning the behaviour of my kernels on physical cloud systems doesn't change as I upgrade them, I'm fine with that. James
