On Fri, Mar 9, 2018 at 11:47 AM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> The LSM check should happen after the file has been confirmed to be >> unchanging. Without this, we could have a race between the Time of Check >> (the call to security_kernel_read_file() which could read the file and >> make access policy decisions) and the Time of Use (starting with >> kernel_read_file()'s reading of the file contents). In theory, file >> contents could change between the two. > > I'm going to assume I get this for 4.17 from the security tree. > > Because I'm guessing there are actually no existing users that care? > selinux seems to just look at file state, not actually at contents or > anything that write access denial would care about. > > And the only other security module that even registers this is > loadpin, and again it just seems to check things like "on the right > filesystem" that aren't actually impacted by write access (in fact, > the documented reason is to check that it's a read-only filesystem so > that write access is simply _irrelevant_). > > So this issue seems to be mainly a cleanliness thing, not an actual bug. That is my assumption too (I left off the Cc: stable as a result). I'm much less familiar with IMA, though, but it's a caller of kernel_read_file(), not hooking it, etc. -Kees -- Kees Cook Pixel Security
