On Thu, Jul 16, 2020 at 04:40:15PM +0200, Mickaël Salaün wrote: > > On 15/07/2020 22:40, Kees Cook wrote: > > On Tue, Jul 14, 2020 at 08:16:38PM +0200, Mickaël Salaün wrote: > >> From: Mimi Zohar <zohar@xxxxxxxxxxxxx> > >> > >> The kernel has no way of differentiating between a file containing data > >> or code being opened by an interpreter. The proposed O_MAYEXEC > >> openat2(2) flag bridges this gap by defining and enabling the > >> MAY_OPENEXEC flag. > >> > >> This patch adds IMA policy support for the new MAY_OPENEXEC flag. > >> > >> Example: > >> measure func=FILE_CHECK mask=^MAY_OPENEXEC > >> appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC > >> > >> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > >> Reviewed-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> > >> Acked-by: Mickaël Salaün <mic@xxxxxxxxxxx> > > > > (Process nit: if you're sending this on behalf of another author, then > > this should be Signed-off-by rather than Acked-by.) > > I'm not a co-author of this patch. Correct, but you are part of the delivery path to its entry to the tree. If you were co-author, you would include "Co-developed-by" with a Signed-off-by. (So my nit stands) For excruciating details: https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by "The Signed-off-by: tag indicates that the signer was ... in the patch’s delivery path." "Co-developed-by: ... is a used to give attribution to co-authors ..." -- Kees Cook
