On Fri, May 31, 2024 at 04:47:20PM +0100, Matthew Wilcox wrote: > On Fri, May 31, 2024 at 04:50:16PM +0200, Christian Brauner wrote: > > So then I propose we just make the deny write stuff during exec > > conditional on IMA being active. At the end it's small- vs chicken pox. > > > > (I figure it won't be enough for IMA to read the executable after it has > > been mapped MS_PRIVATE?) > > do you mean MAP_PRIVATE? > > If so, you have a misapprehension. We can change the contents of the > pagecache after MAP_PRIVATE and that will not cause COW. COW only > occurs if someone writes through a MAP_PRIVATE. If IMA does want to prevent writes, I suggest it puts a lease on the file. That's a mechanism that all writes must honour, rather than it being an IMA speciality.
