ima: pass 'opened' flag to identify newly created files

Empty files and missing xattrs do not guarantee that a file was just created. This patch passes FILE_CREATED flag to IMA to reliably identify new files. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> 3.14+
author: Dmitry Kasatkin <d.kasatkin@samsung.com> 2014-06-27 11:15:44 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-09-09 10:28:43 -0400
commit: 3034a146820c26fe6da66a45f6340fe87fe0983a (patch)
tree: f78b031b7d1fa7eabe1f221749157fefa04704cd /security
parent: 3dcbad52cf18c3c379e96b992d22815439ebbe53 (diff)
3 files changed, 12 insertions, 12 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 57da4bd7ba0c..0fb456c20eda 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -177,7 +177,7 @@ void ima_delete_rules(void);
 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                             struct file *file, const unsigned char *filename,
                             struct evm_ima_xattr_data *xattr_value,
-                             int xattr_len);
+                             int xattr_len, int opened);
 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
@@ -193,7 +193,7 @@ static inline int ima_appraise_measurement(int func,
                                           struct file *file,
                                           const unsigned char *filename,
                                           struct evm_ima_xattr_data *xattr_value,
-                                           int xattr_len)
+                                           int xattr_len, int opened)
 {
        return INTEGRITY_UNKNOWN;
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a4605d677248..225fd944a4ef 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -183,7 +183,7 @@ int ima_read_xattr(struct dentry *dentry,
 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                             struct file *file, const unsigned char *filename,
                             struct evm_ima_xattr_data *xattr_value,
-                             int xattr_len)
+                             int xattr_len, int opened)
 {
        static const char op[] = "appraise_data";
        char *cause = "unknown";
@@ -203,7 +203,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
                cause = "missing-hash";
                status = INTEGRITY_NOLABEL;
-                if (inode->i_size == 0) {
+                if (opened & FILE_CREATED) {
                        iint->flags |= IMA_NEW_FILE;
                        status = INTEGRITY_PASS;
                }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 0a2298f90c9c..f82cf9b8e92b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -157,7 +157,7 @@ void ima_file_free(struct file *file)
 }
 static int process_measurement(struct file *file, const char *filename,
-                               int mask, int function)
+                               int mask, int function, int opened)
 {
        struct inode *inode = file_inode(file);
        struct integrity_iint_cache *iint;
@@ -226,7 +226,7 @@ static int process_measurement(struct file *file, const char *filename,
                                      xattr_value, xattr_len);
        if (action & IMA_APPRAISE_SUBMASK)
                rc = ima_appraise_measurement(_func, iint, file, pathname,
-                                              xattr_value, xattr_len);
+                                              xattr_value, xattr_len, opened);
        if (action & IMA_AUDIT)
                ima_audit_measurement(iint, pathname);
        kfree(pathbuf);
@@ -255,7 +255,7 @@ out:
 int ima_file_mmap(struct file *file, unsigned long prot)
 {
        if (file && (prot & PROT_EXEC))
-                return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK);
+                return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK, 0);
        return 0;
 }
@@ -277,7 +277,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
        return process_measurement(bprm->file,
                                   (strcmp(bprm->filename, bprm->interp) == 0) ?
                                   bprm->filename : bprm->interp,
-                                   MAY_EXEC, BPRM_CHECK);
+                                   MAY_EXEC, BPRM_CHECK, 0);
 }
 /**
@@ -290,12 +290,12 @@ int ima_bprm_check(struct linux_binprm *bprm)
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
-int ima_file_check(struct file *file, int mask)
+int ima_file_check(struct file *file, int mask, int opened)
 {
        ima_rdwr_violation_check(file);
        return process_measurement(file, NULL,
                                   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
-                                   FILE_CHECK);
+                                   FILE_CHECK, opened);
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
@@ -318,7 +318,7 @@ int ima_module_check(struct file *file)
 #endif
                return 0;       /* We rely on module signature checking */
        }
-        return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);
+        return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK, 0);
 }
 int ima_fw_from_file(struct file *file, char *buf, size_t size)
@@ -329,7 +329,7 @@ int ima_fw_from_file(struct file *file, char *buf, size_t size)
                        return -EACCES; /* INTEGRITY_UNKNOWN */
                return 0;
        }
-        return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK);
+        return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK, 0);
 }
 static int __init init_ima(void)
author	Dmitry Kasatkin <d.kasatkin@samsung.com>	2014-06-27 11:15:44 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2014-09-09 10:28:43 -0400
commit	3034a146820c26fe6da66a45f6340fe87fe0983a (patch)
tree	f78b031b7d1fa7eabe1f221749157fefa04704cd /security
parent	3dcbad52cf18c3c379e96b992d22815439ebbe53 (diff)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 57da4bd7ba0c..0fb456c20eda 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h
@@ -177,7 +177,7 @@ void ima_delete_rules(void);
177	int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,	177	int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
178	struct file file, const unsigned char filename,	178	struct file file, const unsigned char filename,
179	struct evm_ima_xattr_data *xattr_value,	179	struct evm_ima_xattr_data *xattr_value,
180	int xattr_len);	180	int xattr_len, int opened);
181	int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);	181	int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
182	void ima_update_xattr(struct integrity_iint_cache iint, struct file file);	182	void ima_update_xattr(struct integrity_iint_cache iint, struct file file);
183	enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,	183	enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
@@ -193,7 +193,7 @@ static inline int ima_appraise_measurement(int func,
193	struct file *file,	193	struct file *file,
194	const unsigned char *filename,	194	const unsigned char *filename,
195	struct evm_ima_xattr_data *xattr_value,	195	struct evm_ima_xattr_data *xattr_value,
196	int xattr_len)	196	int xattr_len, int opened)
197	{	197	{
198	return INTEGRITY_UNKNOWN;	198	return INTEGRITY_UNKNOWN;
199	}	199	}


diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index a4605d677248..225fd944a4ef 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c
@@ -183,7 +183,7 @@ int ima_read_xattr(struct dentry *dentry,
183	int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,	183	int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
184	struct file file, const unsigned char filename,	184	struct file file, const unsigned char filename,
185	struct evm_ima_xattr_data *xattr_value,	185	struct evm_ima_xattr_data *xattr_value,
186	int xattr_len)	186	int xattr_len, int opened)
187	{	187	{
188	static const char op[] = "appraise_data";	188	static const char op[] = "appraise_data";
189	char *cause = "unknown";	189	char *cause = "unknown";
@@ -203,7 +203,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
203		203
204	cause = "missing-hash";	204	cause = "missing-hash";
205	status = INTEGRITY_NOLABEL;	205	status = INTEGRITY_NOLABEL;
206	if (inode->i_size == 0) {	206	if (opened & FILE_CREATED) {
207	iint->flags \|= IMA_NEW_FILE;	207	iint->flags \|= IMA_NEW_FILE;
208	status = INTEGRITY_PASS;	208	status = INTEGRITY_PASS;
209	}	209	}


diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 0a2298f90c9c..f82cf9b8e92b 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -157,7 +157,7 @@ void ima_file_free(struct file *file)
157	}	157	}
158		158
159	static int process_measurement(struct file file, const char filename,	159	static int process_measurement(struct file file, const char filename,
160	int mask, int function)	160	int mask, int function, int opened)
161	{	161	{
162	struct inode *inode = file_inode(file);	162	struct inode *inode = file_inode(file);
163	struct integrity_iint_cache *iint;	163	struct integrity_iint_cache *iint;
@@ -226,7 +226,7 @@ static int process_measurement(struct file file, const char filename,
226	xattr_value, xattr_len);	226	xattr_value, xattr_len);
227	if (action & IMA_APPRAISE_SUBMASK)	227	if (action & IMA_APPRAISE_SUBMASK)
228	rc = ima_appraise_measurement(_func, iint, file, pathname,	228	rc = ima_appraise_measurement(_func, iint, file, pathname,
229	xattr_value, xattr_len);	229	xattr_value, xattr_len, opened);
230	if (action & IMA_AUDIT)	230	if (action & IMA_AUDIT)
231	ima_audit_measurement(iint, pathname);	231	ima_audit_measurement(iint, pathname);
232	kfree(pathbuf);	232	kfree(pathbuf);
@@ -255,7 +255,7 @@ out:
255	int ima_file_mmap(struct file *file, unsigned long prot)	255	int ima_file_mmap(struct file *file, unsigned long prot)
256	{	256	{
257	if (file && (prot & PROT_EXEC))	257	if (file && (prot & PROT_EXEC))
258	return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK);	258	return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK, 0);
259	return 0;	259	return 0;
260	}	260	}
261		261
@@ -277,7 +277,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
277	return process_measurement(bprm->file,	277	return process_measurement(bprm->file,
278	(strcmp(bprm->filename, bprm->interp) == 0) ?	278	(strcmp(bprm->filename, bprm->interp) == 0) ?
279	bprm->filename : bprm->interp,	279	bprm->filename : bprm->interp,
280	MAY_EXEC, BPRM_CHECK);	280	MAY_EXEC, BPRM_CHECK, 0);
281	}	281	}
282		282
283	/**	283	/**
@@ -290,12 +290,12 @@ int ima_bprm_check(struct linux_binprm *bprm)
290	* On success return 0. On integrity appraisal error, assuming the file	290	* On success return 0. On integrity appraisal error, assuming the file
291	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.	291	* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
292	*/	292	*/
293	int ima_file_check(struct file *file, int mask)	293	int ima_file_check(struct file *file, int mask, int opened)
294	{	294	{
295	ima_rdwr_violation_check(file);	295	ima_rdwr_violation_check(file);
296	return process_measurement(file, NULL,	296	return process_measurement(file, NULL,
297	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC),	297	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC),
298	FILE_CHECK);	298	FILE_CHECK, opened);
299	}	299	}
300	EXPORT_SYMBOL_GPL(ima_file_check);	300	EXPORT_SYMBOL_GPL(ima_file_check);
301		301
@@ -318,7 +318,7 @@ int ima_module_check(struct file *file)
318	#endif	318	#endif
319	return 0; /* We rely on module signature checking */	319	return 0; /* We rely on module signature checking */
320	}	320	}
321	return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);	321	return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK, 0);
322	}	322	}
323		323
324	int ima_fw_from_file(struct file file, char buf, size_t size)	324	int ima_fw_from_file(struct file file, char buf, size_t size)
@@ -329,7 +329,7 @@ int ima_fw_from_file(struct file file, char buf, size_t size)
329	return -EACCES; /* INTEGRITY_UNKNOWN */	329	return -EACCES; /* INTEGRITY_UNKNOWN */
330	return 0;	330	return 0;
331	}	331	}
332	return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK);	332	return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK, 0);
333	}	333	}
334		334
335	static int __init init_ima(void)	335	static int __init init_ima(void)