Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag

[PATCH v6 0/7] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Randy Dunlap <hidden> · 2020-07-14
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Thibaut Sautereau <hidden> · 2020-07-22
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-22
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-07-22
[PATCH v6 6/7] selftest/openat2: Add tests for O_MAYEXEC enforcing · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 6/7] selftest/openat2: Add tests for O_MAYEXEC enforcing · Kees Cook <hidden> · 2020-07-15
[PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Randy Dunlap <hidden> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-16
[PATCH v6 2/7] exec: Move S_ISREG() check earlier · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 3/7] exec: Move path_noexec() check earlier · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 1/7] exec: Change uselib(2) IS_SREG() failure to EACCES · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Kees Cook <hidden> · 2020-07-16

From: Kees Cook <hidden>
Date: 2020-07-16 19:13:38
Also in: linux-api, linux-fsdevel, linux-integrity, linux-security-module

On Thu, Jul 16, 2020 at 07:59:20AM -0700, Randy Dunlap wrote:

On 7/16/20 7:40 AM, Mickaël Salaün wrote:

quoted

On 15/07/2020 22:40, Kees Cook wrote:

quoted

On Tue, Jul 14, 2020 at 08:16:38PM +0200, Mickaël Salaün wrote:

quoted

From: Mimi Zohar <zohar@linux.ibm.com>

The kernel has no way of differentiating between a file containing data
or code being opened by an interpreter.  The proposed O_MAYEXEC
openat2(2) flag bridges this gap by defining and enabling the
MAY_OPENEXEC flag.

This patch adds IMA policy support for the new MAY_OPENEXEC flag.

Example:
measure func=FILE_CHECK mask=^MAY_OPENEXEC
appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Lakshmi Ramasubramanian <redacted>
Acked-by: Mickaël Salaün <mic@digikod.net>

(Process nit: if you're sending this on behalf of another author, then
this should be Signed-off-by rather than Acked-by.)

I'm not a co-author of this patch.

from Documentation/process/submitting-patches.rst:

The Signed-off-by: tag indicates that the signer was involved in the
development of the patch, or that he/she was in the patch's delivery path.
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Randy beat me to it. :)

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help