On Fri, 22 Jun 2012, Mimi Zohar wrote:
> The IMA measurement list contains filename hints, which can be
> ambigious without the full pathname. This patch replaces the
> filename hint with the full pathname, simplifying for userspace
> the correlating of file hash measurements with files.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
Are you posting this for review or do you want it applied to my tree?
> ---
> security/integrity/ima/ima_main.c | 40 +++++++++++++++++++++++++++++++-----
> 1 files changed, 34 insertions(+), 6 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index b17be79..91fa323 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -54,6 +54,7 @@ static void ima_rdwr_violation_check(struct file *file)
> fmode_t mode = file->f_mode;
> int rc;
> bool send_tomtou = false, send_writers = false;
> + unsigned char *pathname = NULL, *pathbuf = NULL;
>
> if (!S_ISREG(inode->i_mode) || !ima_initialized)
> return;
> @@ -75,12 +76,25 @@ static void ima_rdwr_violation_check(struct file *file)
> out:
> mutex_unlock(&inode->i_mutex);
>
> + if (!send_tomtou && !send_writers)
> + return;
> +
> + /* We will allow 11 spaces for ' (deleted)' to be appended */
> + pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
> + if (pathbuf) {
> + pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11);
> + if (IS_ERR(pathname))
> + pathname = NULL;
> + }
> if (send_tomtou)
> - ima_add_violation(inode, dentry->d_name.name, "invalid_pcr",
> - "ToMToU");
> + ima_add_violation(inode,
> + !pathname ? dentry->d_name.name : pathname,
> + "invalid_pcr", "ToMToU");
> if (send_writers)
> - ima_add_violation(inode, dentry->d_name.name, "invalid_pcr",
> - "open_writers");
> + ima_add_violation(inode,
> + !pathname ? dentry->d_name.name : pathname,
> + "invalid_pcr", "open_writers");
> + kfree(pathbuf);
> }
>
> static void ima_check_last_writer(struct integrity_iint_cache *iint,
> @@ -123,6 +137,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
> {
> struct inode *inode = file->f_dentry->d_inode;
> struct integrity_iint_cache *iint;
> + unsigned char *pathname = NULL, *pathbuf = NULL;
> int rc = 0;
>
> if (!ima_initialized || !S_ISREG(inode->i_mode))
> @@ -147,8 +162,21 @@ retry:
> goto out;
>
> rc = ima_collect_measurement(iint, file);
> - if (!rc)
> - ima_store_measurement(iint, file, filename);
> + if (rc != 0)
> + goto out;
> +
> + if (function != BPRM_CHECK) {
> + /* We will allow 11 spaces for ' (deleted)' to be appended */
> + pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
> + if (pathbuf) {
> + pathname =
> + d_path(&file->f_path, pathbuf, PATH_MAX + 11);
> + if (IS_ERR(pathname))
> + pathname = NULL;
> + }
> + }
> + ima_store_measurement(iint, file, !pathname ? filename : pathname);
> + kfree(pathbuf);
> out:
> mutex_unlock(&iint->mutex);
> return rc;
> --
> 1.7.7.6
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Other Archives]
[Linux Kernel Newbies]
[Linux Driver Development]
[Linux Kbuild]
[Fedora Kernel]
[Linux Kernel Testers]
[Linux SH]
[Linux Omap]
[Linux Tape]
[Linux Input]
[Linux Kernel Janitors]
[Linux Kernel Packagers]
[Linux Doc]
[Linux Man Pages]
[Linux API]
[Linux Memory Management]
[Linux Modules]
[Linux Standards]
[Kernel Announce]
[Netdev]
[Git]
[Linux PCI]
Linux CAN Development
[Linux I2C]
[Linux RDMA]
[Linux NUMA]
[Netfilter]
[Netfilter Devel]
[SELinux]
[Bugtraq]
[FIO]
[Linux Perf Users]
[Linux Serial]
[Linux PPP]
[Linux ISDN]
[Linux Next]
[Kernel Stable Commits]
[Linux Tip Commits]
[Kernel MM Commits]
[Linux Security Module]
[AutoFS]
[Filesystem Development]
[Ext3 Filesystem]
[Linux bcache]
[Ext4 Filesystem]
[Linux BTRFS]
[Linux CEPH Filesystem]
[Linux XFS]
[XFS]
[Linux NFS]
[Linux CIFS]
[Ecryptfs]
[Linux NILFS]
[Linux Cachefs]
[Reiser FS]
[Initramfs]
[Linux FB Devel]
[Linux OpenGL]
[DRI Devel]
[Fastboot]
[Linux RT Users]
[Linux RT Stable]
[eCos]
[Corosync]
[Linux Clusters]
[LVS Devel]
[Hot Plug]
[Linux Virtualization]
[KVM]
[KVM PPC]
[KVM ia64]
[Linux Containers]
[Linux Hexagon]
[Linux Cgroups]
[Util Linux]
[Wireless]
[Linux Bluetooth]
[Bluez Devel]
[Ethernet Bridging]
[Embedded Linux]
[Barebox]
[Linux MMC]
[Linux IIO]
[Sparse]
[Smatch]
[Linux Arch]
[x86 Platform Driver]
[Linux ACPI]
[Linux IBM ACPI]
[LM Sensors]
[CPU Freq]
[Linux Power Management]
[Linmodems]
[Linux DCCP]
[Linux SCTP]
[ALSA Devel]
[Linux USB]
[Linux PA RISC]
[Linux Samsung SOC]
[MIPS Linux]
[IBM S/390 Linux]
[ARM Linux]
[ARM Kernel]
[ARM MSM]
[Tegra Devel]
[Sparc Linux]
[Linux Security]
[Linux Sound]
[Linux Media]
[Video 4 Linux]
[Linux IRDA Users]
[Linux for the blind]
[Linux RAID]
[Linux ATA RAID]
[Device Mapper]
[Linux SCSI]
[SCSI Target Devel]
[Linux SCSI Target Infrastructure]
[Linux IDE]
[Linux SMP]
[Linux AXP]
[Linux Alpha]
[Linux M68K]
[Linux ia64]
[Linux 8086]
[Linux x86_64]
[Linux Config]
[Linux Apps]
[Linux MSDOS]
[Linux X.25]
[Linux Crypto]
[DM Crypt]
[Linux Trace Users]
[Linux Btrace]
[Linux Watchdog]
[Utrace Devel]
[Linux C Programming]
[Linux Assembly]
[Dash]
[DWARVES]
[Hail Devel]
[Linux Kernel Debugger]
[Linux gcc]
[Gcc Help]
[X.Org]
[Wine]
 |
 |
[Older Kernel Discussion]
[Yosemite National Park Forum]
[Large Format Photos]
[Gimp]
[Yosemite Photos]
[Stuff]