Re: [RFC PATCH v1 0/5] Add support for O_MAYEXEC

From: Mimi Zohar
Date: Thu Dec 13 2018 - 07:17:18 EST

[Cc'ing linux-integrity]

On Thu, 2018-12-13 at 12:26 +0100, Florian Weimer wrote:
> * Mimi Zohar:
> > The indication needs to be set during file open, before the open
> > returns to the caller. ÂThis is the point where ima_file_check()
> > verifies the file's signature. ÂOn failure, access to the file is
> > denied.
> Does this verification happen for open with O_PATH?

Interesting! ÂAccording to the manpage, userspace cannot read/write to
the file. ÂIt looks like do_o_path() intentionally skips do_last(),
with the call to ima_file_check(). ÂIf the file data isn't being
accessed, does the file's integrity need to be verified?