mirror of https://gitee.com/openkylin/linux.git
ima: detect violations for mmaped files
This patch fixes the detection of the 'open_writers' violation for mmaped files. before) an 'open_writers' violation is detected if the policy contains a rule with the criteria: func=FILE_CHECK mask=MAY_READ after) an 'open_writers' violation is detected if the current event matches one of the policy rules. With the old behaviour, the 'open_writers' violation is not detected in the following case: policy: measure func=FILE_MMAP mask=MAY_EXEC steps: 1) open a shared library for writing 2) execute a binary that links that shared library 3) during the binary execution, modify the shared library and save the change result: the 'open_writers' violation measurement is not present in the IMA list. Only binaries executed are protected from writes. For libraries mapped in memory there is the flag MAP_DENYWRITE for this purpose, but according to the output of 'man mmap', the mmap flag is ignored. Since ima_rdwr_violation_check() is now called by process_measurement() the information about if the inode must be measured is already provided by ima_get_action(). Thus the unnecessary function ima_must_measure() has been removed. Changes in v3 (Dmitry Kasatkin): - Violation for MMAP_CHECK function are verified since this patch - Changed patch description a bit Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
f7a859ff73
commit
1b68bdf9cd
|
@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function)
|
|||
return ima_match_policy(inode, function, mask, flags);
|
||||
}
|
||||
|
||||
int ima_must_measure(struct inode *inode, int mask, int function)
|
||||
{
|
||||
return ima_match_policy(inode, function, mask, IMA_MEASURE);
|
||||
}
|
||||
|
||||
/*
|
||||
* ima_collect_measurement - collect file measurement
|
||||
*
|
||||
|
|
|
@ -79,6 +79,7 @@ __setup("ima_hash=", hash_setup);
|
|||
*/
|
||||
static void ima_rdwr_violation_check(struct file *file,
|
||||
struct integrity_iint_cache *iint,
|
||||
int must_measure,
|
||||
char **pathbuf,
|
||||
const char **pathname)
|
||||
{
|
||||
|
@ -95,8 +96,7 @@ static void ima_rdwr_violation_check(struct file *file,
|
|||
send_tomtou = true;
|
||||
}
|
||||
} else {
|
||||
if ((atomic_read(&inode->i_writecount) > 0) &&
|
||||
ima_must_measure(inode, MAY_READ, FILE_CHECK))
|
||||
if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
|
||||
send_writers = true;
|
||||
}
|
||||
|
||||
|
@ -174,7 +174,7 @@ static int process_measurement(struct file *file, int mask, int function,
|
|||
* Included is the appraise submask.
|
||||
*/
|
||||
action = ima_get_action(inode, mask, function);
|
||||
violation_check = (function == FILE_CHECK &&
|
||||
violation_check = ((function == FILE_CHECK || function == MMAP_CHECK) &&
|
||||
(ima_policy_flag & IMA_MEASURE));
|
||||
if (!action && !violation_check)
|
||||
return 0;
|
||||
|
@ -194,7 +194,8 @@ static int process_measurement(struct file *file, int mask, int function,
|
|||
}
|
||||
|
||||
if (violation_check) {
|
||||
ima_rdwr_violation_check(file, iint, &pathbuf, &pathname);
|
||||
ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
|
||||
&pathbuf, &pathname);
|
||||
if (!action) {
|
||||
rc = 0;
|
||||
goto out_free;
|
||||
|
|
Loading…
Reference in New Issue