Re: [Linux-ima-user] Interpreter instead of script in IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> It's definitely not the 'expected behavior', nor did it behave this way
> originally.  I'm looking into it.

Hi Mimi

I had a quick look myself....

fs/exec.c contains:

/*
 * cycle the list of binary formats handler, until one recognizes the image
 */
int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
{
        unsigned int depth = bprm->recursion_depth;
        int try,retval;
        struct linux_binfmt *fmt;
        pid_t old_pid, old_vpid;

        retval = security_bprm_check(bprm);
        if (retval)
                return retval;

It is this call to security_bprm_check which causes the entry in IMA.
bprm->file is the struct file *file for the file contents and
bprm->filename becomes the filename hint.

when the image is a script, this function will call various binfmt
handlers, until the handler in fs/binfmt_script.c is called. It
recognizes the #!, extracts the name of the interpreter, and sets
bprm->file to point to the interpreter. However, it does not change
bprm->filename. It then goes recursive, calling
search_binary_handler() to find a handler for the interpreter
image. We then get the second IMA entry for the interpreter image, but
still using the old bprm->filename, i.e. the name of the script, not
the interpreter.

    Andrew