diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-25 14:42:25 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-26 14:37:19 -0400 |
| commit | bade72d607c4eb1b1d6c7852c493b75f065a56b5 (patch) | |
| tree | 95aafb198d9a8a08e6b7813de0403658e6a1b04a /security/integrity | |
| parent | 196f518128d2ee6e0028b50e6fec0313640db142 (diff) | |
IMA: fix the ToMToU logic
Current logic looks like this:
rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
if (rc < 0)
goto out;
if (mode & FMODE_WRITE) {
if (inode->i_readcount)
send_tomtou = true;
goto out;
}
if (atomic_read(&inode->i_writecount) > 0)
send_writers = true;
Lets assume we have a policy which states that all files opened for read
by root must be measured.
Lets assume the file has permissions 777.
Lets assume that root has the given file open for read.
Lets assume that a non-root process opens the file write.
The non-root process will get to ima_counts_get() and will check the
ima_must_measure(). Since it is not supposed to measure it will goto
out.
We should check the i_readcount no matter what since we might be causing
a ToMToU voilation!
This is close to correct, but still not quite perfect. The situation
could have been that root, which was interested in the mesurement opened
and closed the file and another process which is not interested in the
measurement is the one holding the i_readcount ATM. This is just overly
strict on ToMToU violations, which is better than not strict enough...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 60dd61527b1e..203de979d305 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
| @@ -112,22 +112,23 @@ void ima_counts_get(struct file *file) | |||
| 112 | if (!ima_initialized) | 112 | if (!ima_initialized) |
| 113 | goto out; | 113 | goto out; |
| 114 | 114 | ||
| 115 | rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); | ||
| 116 | if (rc < 0) | ||
| 117 | goto out; | ||
| 118 | |||
| 119 | if (mode & FMODE_WRITE) { | 115 | if (mode & FMODE_WRITE) { |
| 120 | if (inode->i_readcount) | 116 | if (inode->i_readcount && IS_IMA(inode)) |
| 121 | send_tomtou = true; | 117 | send_tomtou = true; |
| 122 | goto out; | 118 | goto out; |
| 123 | } | 119 | } |
| 124 | 120 | ||
| 121 | rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); | ||
| 122 | if (rc < 0) | ||
| 123 | goto out; | ||
| 124 | |||
| 125 | if (atomic_read(&inode->i_writecount) > 0) | 125 | if (atomic_read(&inode->i_writecount) > 0) |
| 126 | send_writers = true; | 126 | send_writers = true; |
| 127 | out: | 127 | out: |
| 128 | /* remember the vfs deals with i_writecount */ | 128 | /* remember the vfs deals with i_writecount */ |
| 129 | if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) | 129 | if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) |
| 130 | inode->i_readcount++; | 130 | inode->i_readcount++; |
| 131 | |||
| 131 | spin_unlock(&inode->i_lock); | 132 | spin_unlock(&inode->i_lock); |
| 132 | 133 | ||
| 133 | if (send_tomtou) | 134 | if (send_tomtou) |