[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ima: fix filename hint to reflect script interpreter name

On Tue, 2012-05-15 at 09:29 +0300, Kasatkin, Dmitry wrote:
> On Tue, May 15, 2012 at 4:50 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > From: Mimi Zohar <zohar@xxxxxxxxxx>
> >
> > When IMA was first upstreamed, the bprm filename and interp were
> > always the same.  Currently, the bprm->filename and bprm->interp
> > are the same, except for when only bprm->interp contains the
> > interpreter name.  So instead of using the bprm->filename as
> > the IMA filename hint in the measurement list, we could replace
> > it with bprm->interp, but this feels too fragil.
> >
> > The following patch is not much better, but at least there is some
> > indication that sometimes we're passing the filename and other times
> > the interpreter name.
> >
> > Reported-by: Andrew Lunn <andrew@xxxxxxx>
> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> > ---
> >  security/integrity/ima/ima_main.c |    4 +++-
> >  1 files changed, 3 insertions(+), 1 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 1eff5cb..b17be79 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -194,7 +194,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
> >  {
> >        int rc;
> >
> > -       rc = process_measurement(bprm->file, bprm->filename,
> > +       rc = process_measurement(bprm->file,
> > +                                (strcmp(bprm->filename, bprm->interp) == 0) ?
> > +                                bprm->filename : bprm->interp,
> >                                 MAY_EXEC, BPRM_CHECK);
> >        return 0;
> >  }
> 
> Hello,
> 
> Isn't it that above statement is just equivalent to?
> 
> rc = process_measurement(bprm->file, bprm->interp, MAY_EXEC, BPRM_CHECK);
> 
> - Dmitry

Yes, as the patch description tried to express, this is less readable.
For the same reason that using 'bprm->filename' landed up not being a
good idea, this seems to be equivalent.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux