On Fri, Mar 9, 2018 at 10:35 AM, David Miller <davem@xxxxxxxxxxxxx> wrote: > From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Date: Fri, 9 Mar 2018 10:17:42 -0800 > >> - use deny_write_access() to make sure that we don't have active >> writers and cannot get them during the execve. > > I agree that this is necessary for image validation purposes. Module loading (via kernel_read_file()) already uses deny_write_access(), and so does do_open_execat(). As long as module loading doesn't call allow_write_access() before the execve() has started in the new implementation, I think we'd be covered here. -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
