Re: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2020-11-17 at 15:36 -0800, Linus Torvalds wrote:
> Another alternative is to change the policy and say "any write-only
> open gets turned into a read-write open".
> 
> But it needs to be done at *OPEN* time, not randomly afterwards by
> just lying to the 'struct file'.

The ima_file_check hook is at open, but it is immediately after
vfs_open().   Only after the file is opened can we determine if the
file is in policy.  If the file was originally opened without read
permission, a new file instance (dentry_open) with read permission is
opened.  Would limiting opening a new file instance with read
permission to just the ima_file_check hook be acceptable?

thanks,

Mimi




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux