* Re: [RFC PATCH v1 0/5] Add support for O_MAYEXEC
[not found] ` <874lbhoef3.fsf@oldenburg2.str.redhat.com>
@ 2018-12-13 12:16 ` Mimi Zohar
0 siblings, 0 replies; only message in thread
From: Mimi Zohar @ 2018-12-13 12:16 UTC (permalink / raw)
To: Florian Weimer
Cc: Matthew Wilcox, Mickaël Salaün, linux-kernel, Al Viro,
James Morris, Jonathan Corbet, Kees Cook, Matthew Garrett,
Michael Kerrisk, Mickaël Salaün,
Philippe Trébuchet, Shuah Khan, Thibaut Sautereau,
Vincent Strubel, Yves-Alexis Perez, kernel-hardening, linux-api,
linux-security-module, linux-fsdevel, linux-integrity
[Cc'ing linux-integrity]
On Thu, 2018-12-13 at 12:26 +0100, Florian Weimer wrote:
> * Mimi Zohar:
>
> > The indication needs to be set during file open, before the open
> > returns to the caller. This is the point where ima_file_check()
> > verifies the file's signature. On failure, access to the file is
> > denied.
>
> Does this verification happen for open with O_PATH?
Interesting! According to the manpage, userspace cannot read/write to
the file. It looks like do_o_path() intentionally skips do_last(),
with the call to ima_file_check(). If the file data isn't being
accessed, does the file's integrity need to be verified?
Mimi
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-12-13 12:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20181212081712.32347-1-mic@digikod.net>
[not found] ` <20181213030228.GM6830@bombadil.infradead.org>
[not found] ` <1544699060.6703.11.camel@linux.ibm.com>
[not found] ` <874lbhoef3.fsf@oldenburg2.str.redhat.com>
2018-12-13 12:16 ` [RFC PATCH v1 0/5] Add support for O_MAYEXEC Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).