[Cc'ing linux-integrity] On Thu, 2018-12-13 at 12:26 +0100, Florian Weimer wrote: > * Mimi Zohar: > > > The indication needs to be set during file open, before the open > > returns to the caller. This is the point where ima_file_check() > > verifies the file's signature. On failure, access to the file is > > denied. > > Does this verification happen for open with O_PATH? Interesting! According to the manpage, userspace cannot read/write to the file. It looks like do_o_path() intentionally skips do_last(), with the call to ima_file_check(). If the file data isn't being accessed, does the file's integrity need to be verified? Mimi