[Linux-ima-devel] [PATCH v3 3/4] ima: detect violations for mmaped files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

From: Roberto Sassu <rob...@po...>

removed ima_must_measure and fixed detection of open_writers violation

This patch fixes the detection of the 'open_writers' violation for mmaped
files.

before) an 'open_writers' violation is detected if the policy contains
        a rule with the criteria: func=FILE_CHECK mask=MAY_READ

after) an 'open_writers' violation is detected if the current event
       matches one of the policy rules.

With the old behaviour, the 'open_writers' violation is not detected
in the following case:

policy:
measure func=FILE_MMAP mask=MAY_EXEC

steps:
1) open a shared library for writing
2) execute a binary that links that shared library
3) during the binary execution, modify the shared library and save
   the change

result:
the 'open_writers' violation measurement is not present in the IMA list.

Only binaries executed are protected from writes. For libraries mapped
in memory there is the flag MAP_DENYWRITE for this purpose, but according
to the output of 'man mmap', the mmap flag is ignored.

Since ima_rdwr_violation_check() is now called by process_measurement()
the information about if the inode must be measured is already provided
by ima_get_action(). Thus the unnecessary function ima_must_measure()
has been removed.

Changes in v3 (Dmitry Kasatkin):
- Violation for MMAP_CHECK function are verified since this patch
- Changed patch description a bit

Signed-off-by: Roberto Sassu <rob...@po...>
Signed-off-by: Dmitry Kasatkin <d.k...@sa...>
---
 security/integrity/ima/ima_api.c  | 5 -----
 security/integrity/ima/ima_main.c | 9 +++++----
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d9cd5ce..bb29cbf 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -179,11 +179,6 @@ int ima_get_action(struct inode *inode, int mask, int function)
 	return ima_match_policy(inode, function, mask, flags);
 }
 
-int ima_must_measure(struct inode *inode, int mask, int function)
-{
-	return ima_match_policy(inode, function, mask, IMA_MEASURE);
-}
-
 /*
  * ima_collect_measurement - collect file measurement
  *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 757d001..e30cd51 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -78,6 +78,7 @@ __setup("ima_hash=", hash_setup);
  *
  */
 static void ima_rdwr_violation_check(struct file *file,
+				     int must_measure,
 				     struct integrity_iint_cache **iint,
 				     char **pathbuf,
 				     const char **pathname)
@@ -94,8 +95,7 @@ static void ima_rdwr_violation_check(struct file *file,
 				send_tomtou = true;
 		}
 	} else {
-		if ((atomic_read(&inode->i_writecount) > 0) &&
-		    ima_must_measure(inode, MAY_READ, FILE_CHECK))
+		if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
 			send_writers = true;
 	}
 
@@ -175,8 +175,9 @@ static int process_measurement(struct file *file, int mask, int function,
 
 	mutex_lock(&inode->i_mutex);
 
-	if (function == FILE_CHECK)
-		ima_rdwr_violation_check(file, &iint, &pathbuf, &pathname);
+	if (function == MMAP_CHECK || function == FILE_CHECK)
+		ima_rdwr_violation_check(file, action & IMA_MEASURE,
+					 &iint, &pathbuf, &pathname);
 
 	if (!action) {
 		rc = 0;
-- 
1.9.1



