On Mon, Oct 16, 2017 at 2:58 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > On 10/16/2017 1:37 PM, Matthew Garrett wrote: >> For IMA purposes, we want to be able to obtain the prepared secid in the >> bprm structure before the credentials are committed. Add a cred_getsecid >> hook that makes this possible. > > Why do you want the secid? What are you planning to do with it? See the following patch - IMA policy allows the admin to restrict appraisal to executables running in specific security contexts. However, right now the check at application execution time ends up using the current task creds before the new creds are committed.
