[RFC PATCH v1 0/5] Add support for O_MAYEXEC
zohar at linux.ibm.com
Thu Dec 13 12:16:52 UTC 2018
On Thu, 2018-12-13 at 12:26 +0100, Florian Weimer wrote:
> * Mimi Zohar:
> > The indication needs to be set during file open, before the open
> > returns to the caller. This is the point where ima_file_check()
> > verifies the file's signature. On failure, access to the file is
> > denied.
> Does this verification happen for open with O_PATH?
Interesting! According to the manpage, userspace cannot read/write to
the file. It looks like do_o_path() intentionally skips do_last(),
with the call to ima_file_check(). If the file data isn't being
accessed, does the file's integrity need to be verified?
More information about the Linux-security-module-archive