[RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

Al Viro viro at zeniv.linux.org.uk
Mon Nov 16 18:08:55 UTC 2020


On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote:
> On Mon, Nov 16, 2020 at 8:47 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
> >
> > This discussion seems to be going down the path of requiring an IMA
> > filesystem hook for reading the file, again.  That solution was
> > rejected, not by me.  What is new this time?
> 
> You can't read a non-read-opened file. Not even IMA can.
> 
> So don't do that then.
> 
> IMA is doing something wrong. Why would you ever read a file that can't be read?
>
> Fix whatever "open" function instead of trying to work around the fact
> that you opened it wrong.

IMA pulls that crap on _every_ open(2), including O_WRONLY.  As far as I'm
concerned, the only sane answer is not enabling that thing on your builds;
they are deeply special and I hadn't been able to reason with them no
matter how much I tried ;-/



More information about the Linux-security-module-archive mailing list