On Mon, Jan 18, 2016 at 10:11:15AM -0500, Mimi Zohar wrote: > For a while it was looked down upon to directly read files from Linux. > These days there exists a few mechanisms in the kernel that do just this > though to load a file into a local buffer. There are minor but important > checks differences on each, we should take all the best practices from > each of them, generalize them and make all places in the kernel that > read a file use it.[1] > > One difference is the method for opening the file. In some cases we > have a file, while in other cases we have a pathname or a file descriptor. > > Another difference is the security hook calls, or lack of them. In > some versions there is a post file read hook, while in others there > is a pre file read hook. > > This patch set is the first attempt at resolving these differences. It > does not attempt to merge the different methods of opening a file, but > defines a single common kernel file read function with two wrappers. > Although this patch set defines two new security hooks for pre and post > file read, it does not attempt to merge the existing security hooks. > That is left as future work. > > Changelog v2: > - Combined the "ima: measuring/appraising files read by the kernel" patches > with this patch set to simplify review. > - Split the "ima: measure and appraise kexec image and initramfs" patch to > separate IMA from the kexec changes. > > The latest version of these patches can be found in the next-kernel-read-v2 > branch of: > git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > > [1] Taken from Luis Rodriguez's wiki - > http://kernelnewbies.org/KernelProjects/common-kernel-loader Did 0-day bot get a chance to test this tree? If not can it be added ? Luis
