ima: prevent a file already mmap'ed write to be mmap'ed execute - linux-dev - Linux kernel development work

diff options

author	Mimi Zohar <zohar@linux.ibm.com>	2019-04-30 08:34:44 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-06-04 16:47:30 -0400
commit	2cd4737bc850225de426a8dbee7a7a312a4f5304 (patch)
tree	9cb0e2215945a1bee0ed3cae6494049125eb980d /security/selinux/selinuxfs.c
parent	x86/ima: check EFI SetupMode too (diff)
download	linux-dev-2cd4737bc850225de426a8dbee7a7a312a4f5304.tar.xz linux-dev-2cd4737bc850225de426a8dbee7a7a312a4f5304.zip

ima: prevent a file already mmap'ed write to be mmap'ed execute

The kernel calls deny_write_access() to prevent a file already opened for write from being executed and also prevents files being executed from being opened for write. For some reason this does not extend to files being mmap'ed execute. From an IMA perspective, measuring/appraising the integrity of a file being mmap'ed shared execute, without first making sure the file cannot be modified, makes no sense. This patch prevents files, in policy, already mmap'ed shared write, from being mmap'ed execute. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Diffstat (limited to 'security/selinux/selinuxfs.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: