Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp247327ybz; Thu, 30 Apr 2020 20:59:04 -0700 (PDT) X-Google-Smtp-Source: APiQypLV+RNu5D73RcPeCz3T6Z6geav8BPbwo43vE67UP7BuA47RdTOeFQGRqPfqDo3s8gOjc3j9 X-Received: by 2002:a17:906:fcb7:: with SMTP id qw23mr1531571ejb.256.1588305543911; Thu, 30 Apr 2020 20:59:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588305543; cv=none; d=google.com; s=arc-20160816; b=oO3776rM6SnBTWTUVD9ZjhA+3SfNjWxPhefRjZiB4/co7kG2Jk02JAOLaDLt7yYbz1 Vl5yNKgSNRHacvSQRTXTC89nP51Z5hSAX4maJzVuM9W8Irw3WF10iccHXX+R3EWHB4MK b0FVMxF4dtYqmqIxGkB3EdTtmHQpL1yr/cBR8/zfWO6Q+fL7J/s1ITNoDon1frG6avjC ML3fJsI1gKv1+VrDuh/MGYtkN1EHG3bFGG8q3mN79WuxU6BEVMcK6Pp2ndM0M7LTQr47 MD45by4PkfZKilzhP2QH8YrlGhLAbmtruQL0IdulkUUnXDBs92eTjCTw8NcRYezrncn7 EhIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=KjeCWotMCzQ8VWGgui2Do2CKQcAK/S4mCZe7TJFzEeo=; b=zwwHPAP1rLorxSSsykJZTjszWXMuCJHxSI7nvORsQQceSzzOD8B3lZWKvFpYVarXe7 /KRfkCHfslt3y480RnLkUQp6ZUNyte46Y9HPbuWRInH2K1QuWvzPNhwOUelfiTSDPxPL paOINAefqvDEO7Wbm5tPUJxHezoSXFXptonY8IZi9u5ryhfZsjhPuYtK7S4HK/lZsZe8 yXiGmbmhIOQNnPSgaQYWewEF2Sukd72OzBujoBdB4Hf3TDcKxYZYhzYpx/EfOcgmCbWX HtMWakgQ3rdpwVMQfxnHjZYeIRdmc2IsKi/Dfv2uWtLS+M09CRceqm6L2ldpYzh6H23V bZMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c13si1131401edq.97.2020.04.30.20.58.41; Thu, 30 Apr 2020 20:59:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728239AbgEADzK (ORCPT + 99 others); Thu, 30 Apr 2020 23:55:10 -0400 Received: from namei.org ([65.99.196.166]:56396 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728193AbgEADzK (ORCPT ); Thu, 30 Apr 2020 23:55:10 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id 0413roZg030164; Fri, 1 May 2020 03:53:51 GMT Date: Fri, 1 May 2020 13:53:50 +1000 (AEST) From: James Morris To: =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= cc: linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= , Mimi Zohar , =?ISO-8859-15?Q?Philippe_Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v3 0/5] Add support for RESOLVE_MAYEXEC In-Reply-To: <20200428175129.634352-1-mic@digikod.net> Message-ID: References: <20200428175129.634352-1-mic@digikod.net> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="1665246916-598047033-1588305232=:29679" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1665246916-598047033-1588305232=:29679 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT On Tue, 28 Apr 2020, Mickaël Salaün wrote: > Furthermore, the security policy can also be delegated to an LSM, either > a MAC system or an integrity system. For instance, the new kernel > MAY_OPENEXEC flag closes a major IMA measurement/appraisal interpreter > integrity gap by bringing the ability to check the use of scripts [1]. > Other uses are expected, such as for openat2(2) [2], SGX integration > [3], bpffs [4] or IPE [5]. Confirming that this is a highly desirable feature for the proposed IPE LSM. -- James Morris --1665246916-598047033-1588305232=:29679--