[Linux-ima-user] [PATCH] ima: further restrict "permit_directio" policy option

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Commit f9b2a73 "ima: audit log files opened with "O_DIRECT"
resolved a lockdep, by defining the "permit_directio" policy rule
option, which allowed files to be opened without being measured,
appraised or audit logged.  All other files opened with the
"O_DIRECT" flag were denied.

Since not all file systems support the "O_DIRECT" flag, on failure
applications are suppose to automatically retry opening the file
without the flag.  This is indeed what happens for the original
Debian boot lockdep report ("CONCURRENCY=makefile").

Unfortunately it is impossible to know whether all applications
fallback to opening the file without the O_DIRECT flag.  For now,
this patch further restricts allowing the "permit_directio" policy
option requiring it to be configured.

Signed-off-by: Mimi Zohar <zo...@li...>
---
 security/integrity/ima/Kconfig      | 14 ++++++++++++++
 security/integrity/ima/ima_policy.c |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index e099875..5a4d483 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -44,6 +44,20 @@ config IMA_LSM_RULES
 	help
 	  Disabling this option will disregard LSM based policy rules.
 
+config IMA_PERMIT_DIRECTIO
+	bool "permit files opened with O_DIRECT flag"
+	depends on IMA
+	default n
+	help
+	  Since not all files systems support the open "O_DIRECT" flag,
+	  on failure applications are suppose to retry opening the file
+	  without it.  For those applications that absolutely require
+	  "O_DIRECT", permit the open without measuring, appraising or
+	  audit logging the file.
+
+	  Permitting open with O_DIRECT flag will result in measurement,
+	  appraisal, or audit logging gaps.  Not recommended.
+
 choice
 	prompt "Default template"
 	default IMA_NG_TEMPLATE
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 07099a8..7bd774e 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -629,7 +629,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 				result = -EINVAL;
 			break;
 		case Opt_permit_directio:
+#ifdef CONFIG_IMA_PERMIT_DIRECTIO
 			entry->flags |= IMA_PERMIT_DIRECTIO;
+#else
+			result = -EINVAL;
+#endif
 			break;
 		case Opt_err:
 			ima_log_string(ab, "UNKNOWN", p);
-- 
1.8.1.4





