On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote: > These changes don't pass the kernel-selftest for partial reads I added > (which are at the end of this patch v2 series). Oh, interesting. Is there any feedback in dmesg? I wonder if I have the LSMs configured differently than you? > See change below added for temp workaround for issue. > > [...] > > + > > + whole_file = (offset == 0 && i_size <= buf_size); > A hack to get this passing I added which probably breaks some security? > if (whole_file) { > > + ret = security_kernel_read_file(file, id, whole_file); > > + if (ret) > > + goto out; > > + > } This would imply I did something wrong in the LSM hook refactoring (i.e. some LSM is rejecting the !whole_file case, but if the entire call to the hooks are skipped, it's okay). What does this return on your test system: echo $(cat /sys/kernel/security/lsm) (I wonder if I have IMA configured differently...) Mimi, have you had a chance to test these changes? -- Kees Cook _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec