Re: [PATCH] ima: Don't modify file descriptor mode on the fly

From: Mimi Zohar
Date: Mon Nov 30 2020 - 12:14:06 EST

Next message: Catalin Marinas: "Re: [PATCH v2] arm64: mte: Fix typo in macro definition"
Previous message: Laurent Pinchart: "Re: [PATCH 16/18] i2c: i2c-core-base: Use the new i2c_acpi_dev_name() in i2c_set_dev_name()"
In reply to: Christoph Hellwig: "Re: [PATCH] ima: Don't modify file descriptor mode on the fly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2020-11-26 at 11:34 +0100, Roberto Sassu wrote:
> Commit a408e4a86b36b ("ima: open a new file instance if no read
> permissions") already introduced a second open to measure a file when the
> original file descriptor does not allow it. However, it didn't remove the
> existing method of changing the mode of the original file descriptor, which
> is still necessary if the current process does not have enough privileges
> to open a new one.
>
> Changing the mode isn't really an option, as the filesystem might need to
> do preliminary steps to make the read possible. Thus, this patch removes
> the code and keeps the second open as the only option to measure a file
> when it is unreadable with the original file descriptor.
>
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode
> Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Thanks, Roberto, Christoph. The patch is now queued in next-integrity.

Mimi

Next message: Catalin Marinas: "Re: [PATCH v2] arm64: mte: Fix typo in macro definition"
Previous message: Laurent Pinchart: "Re: [PATCH 16/18] i2c: i2c-core-base: Use the new i2c_acpi_dev_name() in i2c_set_dev_name()"
In reply to: Christoph Hellwig: "Re: [PATCH] ima: Don't modify file descriptor mode on the fly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]