[PATCH v7 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag
Kees Cook
keescook at chromium.org
Fri Jul 24 19:04:38 UTC 2020
On Thu, Jul 23, 2020 at 07:12:27PM +0200, Mickaël Salaün wrote:
> From: Mimi Zohar <zohar at linux.ibm.com>
>
> The kernel has no way of differentiating between a file containing data
> or code being opened by an interpreter. The proposed O_MAYEXEC
> openat2(2) flag bridges this gap by defining and enabling the
> MAY_OPENEXEC flag.
>
> This patch adds IMA policy support for the new MAY_OPENEXEC flag.
>
> Example:
> measure func=FILE_CHECK mask=^MAY_OPENEXEC
> appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
^^^ this S-o-b should the last in the fields.
> Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
> Reviewed-by: Lakshmi Ramasubramanian <nramas at linux.microsoft.com>
> Link: https://lore.kernel.org/r/1588167523-7866-3-git-send-email-zohar@linux.ibm.com
Reviewed-by: Kees Cook <keescook at chromium.org>
--
Kees Cook
More information about the Linux-security-module-archive
mailing list