On Fri, Mar 9, 2018 at 10:35 AM, David Miller <da...@davemloft.net> wrote: > From: Linus Torvalds <torva...@linux-foundation.org> > Date: Fri, 9 Mar 2018 10:17:42 -0800 > >> - use deny_write_access() to make sure that we don't have active >> writers and cannot get them during the execve. > > I agree that this is necessary for image validation purposes.
Module loading (via kernel_read_file()) already uses deny_write_access(), and so does do_open_execat(). As long as module loading doesn't call allow_write_access() before the execve() has started in the new implementation, I think we'd be covered here. -Kees -- Kees Cook Pixel Security