[RFC 04/11] ima: add support to namespace securityfs file

[RFC 00/11] ima: namespace support for IMA policy · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 01/11] ima: qualify pathname in audit info record · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 02/11] ima: qualify pathname in audit measurement record · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 03/11] ima: qualify pathname in measurement file · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 04/11] ima: add support to namespace securityfs file · Guilherme Magalhaes <hidden> · 2017-05-11
Re: [RFC 04/11] ima: add support to namespace securityfs file · Tycho Andersen <hidden> · 2017-05-18
Re: [RFC 04/11] ima: add support to namespace securityfs file · Mimi Zohar <hidden> · 2017-05-24
Re: [RFC 04/11] ima: add support to namespace securityfs file · John Johansen <john.johansen@canonical.com> · 2017-05-25
Re: [RFC 04/11] ima: add support to namespace securityfs file · Mimi Zohar <hidden> · 2017-05-25
RE: [RFC 04/11] ima: add support to namespace securityfs file · Magalhaes, Guilherme (Brazil R&D-CL) <hidden> · 2017-05-25
Re: [RFC 04/11] ima: add support to namespace securityfs file · Mimi Zohar <hidden> · 2017-05-29
Re: [RFC 04/11] ima: add support to namespace securityfs file · Dr. Greg Wettstein <hidden> · 2017-05-31
[RFC 05/11] ima: store new namespace policy structure in a radix tree · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 06/11] ima, fs: release namespace policy resources · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 08/11] ima: block initial namespace id on the namespace policy interface · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 07/11] ima: new namespace policy structure to track initial namespace policy data · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 09/11] ima: delete namespace policy securityfs file in write-once mode · Guilherme Magalhaes <hidden> · 2017-05-11
[RFC 10/11] ima: handling all policy flags per namespace using ima_ns_policy structure · Guilherme Magalhaes <hidden> · 2017-05-11
RE: [RFC 00/11] ima: namespace support for IMA policy · Magalhaes, Guilherme (Brazil R&D-CL) <hidden> · 2017-05-11

From: Tycho Andersen <hidden>
Date: 2017-05-18 21:39:42
Also in: linux-fsdevel, lkml

Hi Guilherme,

On Thu, May 11, 2017 at 10:59:56AM -0300, Guilherme Magalhaes wrote:

+static int ima_open_namespaces(struct inode *inode, struct file *filp)
+{
+	if (!(filp->f_flags & O_WRONLY))
+		return -EACCES;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
+	if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags))
+		return -EBUSY;

It probably makes sense to do something like:

if (!(ima_appraise & IMA_APPRAISE_NAMESPACE))
	return -EINVAL;

here.

I'll keep playing around with this patchset and see if I have any
other feedback.

Cheers,

Tycho
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help