On Tue, Oct 10, 2017 at 3:21 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > I was hoping we could replace the existing bprm_check with the new > creds_check, but not all of the binfmt's registered are covered. Only > those that call install_exec_creds() are covered. This should > probably be reflected in the ima_creds_check() description. > Otherwise, the patch looks good. The semantics are different - bprm_check will check sub_user and co against the pre-exec() credentials, creds_check against the post-exec() credentials. That feels like something that could break existing policies, so I think we need to keep them independent. I'll rewrite the description and resend.
