diff options
author | Roberto Sassu <roberto.sassu@polito.it> | 2014-09-12 13:35:56 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-09-18 10:04:12 -0400 |
commit | 1b68bdf9cded82d37e443a20c5ed47bbb084d5dc (patch) | |
tree | ed09fb584503dce3925af7f0f9d397a8f407d5ea /security | |
parent | f7a859ff7395c0ffe60f9563df5354473e5f9244 (diff) |
ima: detect violations for mmaped files
This patch fixes the detection of the 'open_writers' violation for mmaped
files.
before) an 'open_writers' violation is detected if the policy contains
a rule with the criteria: func=FILE_CHECK mask=MAY_READ
after) an 'open_writers' violation is detected if the current event
matches one of the policy rules.
With the old behaviour, the 'open_writers' violation is not detected
in the following case:
policy:
measure func=FILE_MMAP mask=MAY_EXEC
steps:
1) open a shared library for writing
2) execute a binary that links that shared library
3) during the binary execution, modify the shared library and save
the change
result:
the 'open_writers' violation measurement is not present in the IMA list.
Only binaries executed are protected from writes. For libraries mapped
in memory there is the flag MAP_DENYWRITE for this purpose, but according
to the output of 'man mmap', the mmap flag is ignored.
Since ima_rdwr_violation_check() is now called by process_measurement()
the information about if the inode must be measured is already provided
by ima_get_action(). Thus the unnecessary function ima_must_measure()
has been removed.
Changes in v3 (Dmitry Kasatkin):
- Violation for MMAP_CHECK function are verified since this patch
- Changed patch description a bit
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_api.c | 5 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 9 |
2 files changed, 5 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 65c41a968cc1..86885979918c 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function) | |||
179 | return ima_match_policy(inode, function, mask, flags); | 179 | return ima_match_policy(inode, function, mask, flags); |
180 | } | 180 | } |
181 | 181 | ||
182 | int ima_must_measure(struct inode *inode, int mask, int function) | ||
183 | { | ||
184 | return ima_match_policy(inode, function, mask, IMA_MEASURE); | ||
185 | } | ||
186 | |||
187 | /* | 182 | /* |
188 | * ima_collect_measurement - collect file measurement | 183 | * ima_collect_measurement - collect file measurement |
189 | * | 184 | * |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 03bb52ecf490..62f59eca32d3 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -79,6 +79,7 @@ __setup("ima_hash=", hash_setup); | |||
79 | */ | 79 | */ |
80 | static void ima_rdwr_violation_check(struct file *file, | 80 | static void ima_rdwr_violation_check(struct file *file, |
81 | struct integrity_iint_cache *iint, | 81 | struct integrity_iint_cache *iint, |
82 | int must_measure, | ||
82 | char **pathbuf, | 83 | char **pathbuf, |
83 | const char **pathname) | 84 | const char **pathname) |
84 | { | 85 | { |
@@ -95,8 +96,7 @@ static void ima_rdwr_violation_check(struct file *file, | |||
95 | send_tomtou = true; | 96 | send_tomtou = true; |
96 | } | 97 | } |
97 | } else { | 98 | } else { |
98 | if ((atomic_read(&inode->i_writecount) > 0) && | 99 | if ((atomic_read(&inode->i_writecount) > 0) && must_measure) |
99 | ima_must_measure(inode, MAY_READ, FILE_CHECK)) | ||
100 | send_writers = true; | 100 | send_writers = true; |
101 | } | 101 | } |
102 | 102 | ||
@@ -174,7 +174,7 @@ static int process_measurement(struct file *file, int mask, int function, | |||
174 | * Included is the appraise submask. | 174 | * Included is the appraise submask. |
175 | */ | 175 | */ |
176 | action = ima_get_action(inode, mask, function); | 176 | action = ima_get_action(inode, mask, function); |
177 | violation_check = (function == FILE_CHECK && | 177 | violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) && |
178 | (ima_policy_flag & IMA_MEASURE)); | 178 | (ima_policy_flag & IMA_MEASURE)); |
179 | if (!action && !violation_check) | 179 | if (!action && !violation_check) |
180 | return 0; | 180 | return 0; |
@@ -194,7 +194,8 @@ static int process_measurement(struct file *file, int mask, int function, | |||
194 | } | 194 | } |
195 | 195 | ||
196 | if (violation_check) { | 196 | if (violation_check) { |
197 | ima_rdwr_violation_check(file, iint, &pathbuf, &pathname); | 197 | ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, |
198 | &pathbuf, &pathname); | ||
198 | if (!action) { | 199 | if (!action) { |
199 | rc = 0; | 200 | rc = 0; |
200 | goto out_free; | 201 | goto out_free; |