aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@polito.it>2014-09-12 13:35:56 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-09-18 10:04:12 -0400
commit1b68bdf9cded82d37e443a20c5ed47bbb084d5dc (patch)
treeed09fb584503dce3925af7f0f9d397a8f407d5ea /security
parentf7a859ff7395c0ffe60f9563df5354473e5f9244 (diff)
ima: detect violations for mmaped files
This patch fixes the detection of the 'open_writers' violation for mmaped files. before) an 'open_writers' violation is detected if the policy contains a rule with the criteria: func=FILE_CHECK mask=MAY_READ after) an 'open_writers' violation is detected if the current event matches one of the policy rules. With the old behaviour, the 'open_writers' violation is not detected in the following case: policy: measure func=FILE_MMAP mask=MAY_EXEC steps: 1) open a shared library for writing 2) execute a binary that links that shared library 3) during the binary execution, modify the shared library and save the change result: the 'open_writers' violation measurement is not present in the IMA list. Only binaries executed are protected from writes. For libraries mapped in memory there is the flag MAP_DENYWRITE for this purpose, but according to the output of 'man mmap', the mmap flag is ignored. Since ima_rdwr_violation_check() is now called by process_measurement() the information about if the inode must be measured is already provided by ima_get_action(). Thus the unnecessary function ima_must_measure() has been removed. Changes in v3 (Dmitry Kasatkin): - Violation for MMAP_CHECK function are verified since this patch - Changed patch description a bit Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_api.c5
-rw-r--r--security/integrity/ima/ima_main.c9
2 files changed, 5 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 65c41a968cc1..86885979918c 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function)
179 return ima_match_policy(inode, function, mask, flags); 179 return ima_match_policy(inode, function, mask, flags);
180} 180}
181 181
182int ima_must_measure(struct inode *inode, int mask, int function)
183{
184 return ima_match_policy(inode, function, mask, IMA_MEASURE);
185}
186
187/* 182/*
188 * ima_collect_measurement - collect file measurement 183 * ima_collect_measurement - collect file measurement
189 * 184 *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 03bb52ecf490..62f59eca32d3 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -79,6 +79,7 @@ __setup("ima_hash=", hash_setup);
79 */ 79 */
80static void ima_rdwr_violation_check(struct file *file, 80static void ima_rdwr_violation_check(struct file *file,
81 struct integrity_iint_cache *iint, 81 struct integrity_iint_cache *iint,
82 int must_measure,
82 char **pathbuf, 83 char **pathbuf,
83 const char **pathname) 84 const char **pathname)
84{ 85{
@@ -95,8 +96,7 @@ static void ima_rdwr_violation_check(struct file *file,
95 send_tomtou = true; 96 send_tomtou = true;
96 } 97 }
97 } else { 98 } else {
98 if ((atomic_read(&inode->i_writecount) > 0) && 99 if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
99 ima_must_measure(inode, MAY_READ, FILE_CHECK))
100 send_writers = true; 100 send_writers = true;
101 } 101 }
102 102
@@ -174,7 +174,7 @@ static int process_measurement(struct file *file, int mask, int function,
174 * Included is the appraise submask. 174 * Included is the appraise submask.
175 */ 175 */
176 action = ima_get_action(inode, mask, function); 176 action = ima_get_action(inode, mask, function);
177 violation_check = (function == FILE_CHECK && 177 violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
178 (ima_policy_flag & IMA_MEASURE)); 178 (ima_policy_flag & IMA_MEASURE));
179 if (!action && !violation_check) 179 if (!action && !violation_check)
180 return 0; 180 return 0;
@@ -194,7 +194,8 @@ static int process_measurement(struct file *file, int mask, int function,
194 } 194 }
195 195
196 if (violation_check) { 196 if (violation_check) {
197 ima_rdwr_violation_check(file, iint, &pathbuf, &pathname); 197 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
198 &pathbuf, &pathname);
198 if (!action) { 199 if (!action) {
199 rc = 0; 200 rc = 0;
200 goto out_free; 201 goto out_free;