Re: [Linux-ima-user] [PATCH] ima: further restrict "permit_directio" policy option

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

It seems the patch does not change default behavior which forbids
opening files with O_DIRECT when IMA is enabled.
It only disallows policy to have permit_directio option to "permit"
opening of files with O_DIRECT.

Was it the real intention of the patch?

I could imaging such patch which change default behavior and "allow" to
open files with O_DIRECT without permit_directio policy option.

Otherwise I feel it does not bring any advantage over policy option.

Thanks,
Dmitry

On 16/09/14 23:12, Mimi Zohar wrote:
> Commit f9b2a73 "ima: audit log files opened with "O_DIRECT"
> resolved a lockdep, by defining the "permit_directio" policy rule
> option, which allowed files to be opened without being measured,
> appraised or audit logged.  All other files opened with the
> "O_DIRECT" flag were denied.
>
> Since not all file systems support the "O_DIRECT" flag, on failure
> applications are suppose to automatically retry opening the file
> without the flag.  This is indeed what happens for the original
> Debian boot lockdep report ("CONCURRENCY=makefile").
>
> Unfortunately it is impossible to know whether all applications
> fallback to opening the file without the O_DIRECT flag.  For now,
> this patch further restricts allowing the "permit_directio" policy
> option requiring it to be configured.
>
> Signed-off-by: Mimi Zohar <zo...@li...>
> ---
>  security/integrity/ima/Kconfig      | 14 ++++++++++++++
>  security/integrity/ima/ima_policy.c |  4 ++++
>  2 files changed, 18 insertions(+)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index e099875..5a4d483 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -44,6 +44,20 @@ config IMA_LSM_RULES
>  	help
>  	  Disabling this option will disregard LSM based policy rules.
>  
> +config IMA_PERMIT_DIRECTIO
> +	bool "permit files opened with O_DIRECT flag"
> +	depends on IMA
> +	default n
> +	help
> +	  Since not all files systems support the open "O_DIRECT" flag,
> +	  on failure applications are suppose to retry opening the file
> +	  without it.  For those applications that absolutely require
> +	  "O_DIRECT", permit the open without measuring, appraising or
> +	  audit logging the file.
> +
> +	  Permitting open with O_DIRECT flag will result in measurement,
> +	  appraisal, or audit logging gaps.  Not recommended.
> +
>  choice
>  	prompt "Default template"
>  	default IMA_NG_TEMPLATE
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 07099a8..7bd774e 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -629,7 +629,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  				result = -EINVAL;
>  			break;
>  		case Opt_permit_directio:
> +#ifdef CONFIG_IMA_PERMIT_DIRECTIO
>  			entry->flags |= IMA_PERMIT_DIRECTIO;
> +#else
> +			result = -EINVAL;
> +#endif
>  			break;
>  		case Opt_err:
>  			ima_log_string(ab, "UNKNOWN", p);