On Thu, 2018-10-04 at 00:35 +0200, Miklos Szeredi wrote: > Right, if it's done from last fput() then it's at least not a security hole. > > This hack may work for some filesystems, but as you noticed, it won't > work for overlayfs. And if probably won't work for a number of other > filesystems as well: the fs can assume that f_mode & FMODE_READ will > remain off if it was off at open time. > > The proper way to handle it generally is to open a separate instance > of the same file from IMA with O_RDONLY and use that to calculate the > hash. There's really no point in reusing the same file and hacking > the f_mode bits. Is there an appropriate low level kernel call for creating a new file descriptor that would be appropriate? dentry_open(), like the call in file_clone_open(), has a lot of overhead, including the LSM calls. Calculating the file hash always needs to work. Mimi
