Re: [Linux-ima-user] Interpreter instead of script in IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2012-04-27 at 08:30 +0200, Andrew Lunn wrote:
> > It's definitely not the 'expected behavior', nor did it behave this way
> > originally.  I'm looking into it.
> 
> Hi Mimi
> 
> I had a quick look myself....
> 
> fs/exec.c contains:
> 
> /*
>  * cycle the list of binary formats handler, until one recognizes the image
>  */
> int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
> {
>         unsigned int depth = bprm->recursion_depth;
>         int try,retval;
>         struct linux_binfmt *fmt;
>         pid_t old_pid, old_vpid;
> 
>         retval = security_bprm_check(bprm);
>         if (retval)
>                 return retval;
> 
> It is this call to security_bprm_check which causes the entry in IMA.
> bprm->file is the struct file *file for the file contents and
> bprm->filename becomes the filename hint.
> 
> when the image is a script, this function will call various binfmt
> handlers, until the handler in fs/binfmt_script.c is called. It
> recognizes the #!, extracts the name of the interpreter, and sets
> bprm->file to point to the interpreter. However, it does not change
> bprm->filename. It then goes recursive, calling
> search_binary_handler() to find a handler for the interpreter
> image. We then get the second IMA entry for the interpreter image, but
> still using the old bprm->filename, i.e. the name of the script, not
> the interpreter.

Hi Andrew,

Yes, things have changed. The name of the interpreter was originally
copied to bprm->filename.  Currently bprm->filename and bprm->interp are
the same, but only differ when the script handler is called.  Instead of
passing bprm->filename to process_measurement(), we could pass
bprm->interp, but that just seems wrong.

Mimi