[PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag
Kees Cook
keescook at chromium.org
Wed Jul 15 20:40:14 UTC 2020
On Tue, Jul 14, 2020 at 08:16:38PM +0200, Mickaël Salaün wrote:
> From: Mimi Zohar <zohar at linux.ibm.com>
>
> The kernel has no way of differentiating between a file containing data
> or code being opened by an interpreter. The proposed O_MAYEXEC
> openat2(2) flag bridges this gap by defining and enabling the
> MAY_OPENEXEC flag.
>
> This patch adds IMA policy support for the new MAY_OPENEXEC flag.
>
> Example:
> measure func=FILE_CHECK mask=^MAY_OPENEXEC
> appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
>
> Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
> Reviewed-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
> Acked-by: Mickaël Salaün <mic at digikod.net>
(Process nit: if you're sending this on behalf of another author, then
this should be Signed-off-by rather than Acked-by.)
--
Kees Cook
More information about the Linux-security-module-archive
mailing list