[RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()
Al Viro
viro at zeniv.linux.org.uk
Mon Nov 16 18:08:55 UTC 2020
On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote:
> On Mon, Nov 16, 2020 at 8:47 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
> >
> > This discussion seems to be going down the path of requiring an IMA
> > filesystem hook for reading the file, again. That solution was
> > rejected, not by me. What is new this time?
>
> You can't read a non-read-opened file. Not even IMA can.
>
> So don't do that then.
>
> IMA is doing something wrong. Why would you ever read a file that can't be read?
>
> Fix whatever "open" function instead of trying to work around the fact
> that you opened it wrong.
IMA pulls that crap on _every_ open(2), including O_WRONLY. As far as I'm
concerned, the only sane answer is not enabling that thing on your builds;
they are deeply special and I hadn't been able to reason with them no
matter how much I tried ;-/
More information about the Linux-security-module-archive
mailing list