On file open, the kernel has no way of differentiating between files containing data and those with code that will be executed. Only the interpreter knows how the file will be used. To bridge this gap, this patch set extends the IMA policy language: - to identify files with the executable mode bit set - to support the new file open flag MAY_OPENEXEC introduced by Mickael Salaun's "[PATCH v3 0/5] Add support for RESOLVE_MAYEXEC" patch set. Mimi Mimi Zohar (2): ima: add policy support for identifying file execute mode bit ima: add policy support for the new file open MAY_OPENEXEC flag Documentation/ABI/testing/ima_policy | 7 ++++--- security/integrity/ima/ima_main.c | 3 ++- security/integrity/ima/ima_policy.c | 33 +++++++++++++++++++++++++++------ 3 files changed, 33 insertions(+), 10 deletions(-) -- 2.7.5
