[Linux-ima-user] ima apprise and mkstemp()

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I faced with issue, when created by some programs files don't have
IMA/EVM sign (that should be), for example - git, a lot of gtk2/3 programs, etc.
Short investigation show me, that all this programs in order to prevent
data loss, create temporary file first in the same FS with dest file, after that, 
remove dest file and rename temporary file into dest file name.
All this programs work with mkstemp().

Condition:
1) IMA policy:
measure func=FILE_CHECK mask=MAY_READ
appraise func=FILE_CHECK mask=MAY_READ
measure func=FILE_CHECK mask=MAY_WRITE
appraise func=FILE_CHECK mask=MAY_WRITE
measure func=FILE_CHECK mask=MAY_APPEND
appraise func=FILE_CHECK mask=MAY_APPEND
2) FS mounted with iversion flag.
3) kernel 4.7.10, IMA/EVM-related boot options: rootflags=i_version ima_appraise=fix evm=fix

First test (create and write into regular file):
# touch /test
  or
# echo "123" > /test
# getfattr -m . -d /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
  security.evm=0sAqWCwYz6qoUosD2IAD7s8x3E+G5Q
  security.ima=0sBAbPg+E1fu+4vfFUKFDWbYAH1iDkBQtXFdyD9Kkh02zpzkfQ0TxdhfKw/4MY0od+7C9juTG9R0F6gaU4Mnr5J9o+
# echo "123" >> /test
# getfattr -m . -d /test
  getfattr: Removing leading '/' from absolute path names
  # file: test
  security.evm=0sAqB8MIEQSvsB+xs1MalIXkD2r3fq
  security.ima=0sBAbqL+VruMH7WtqEljtC7XG3ZKdLCS11dVFzreBvL0qtqcANbDAuGFA1y+hf3/MWmLypPoZh8MvO9Szy/2WGT9dC

As you can see - everything working. No messages in audit syslog.

I write simple program to test this issue (/test.cpp):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int main () {
	int test_fd = -1;
	char *tmpname;

	if (asprintf(&tmpname, "%s-XXXXXX", "test")<0) {
		printf("asprintf");
		exit(1);
	}

	test_fd = mkstemp(tmpname);

	if (test_fd == -1) {
		printf("mkstemp\n");
		exit(1);
	}

	write(test_fd, "test 123 test\n", sizeof("test 123 test\n"));

	return 0;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# g++ /test.cpp
# /a.out
# ls
  a.out  dev   lib    lost+found  opt   run   test         tmp
  bin    etc   lib32  media       proc  sbin  test.cpp     usr
  boot   home  lib64  mnt         root  sys   test-yPVjX9  var
# getfattr -m . -d /test-yPVjX9
(!!!) no output here, file don't have any xattrs
# cat /test-yPVjX9
  test 123 test
# getfattr -m . -d /test-yPVjX9
  getfattr: Removing leading '/' from absolute path names
  # file: test-yPVjX9
  security.evm=0sAiPz9jIP/WWLMFYT5C/pG8pAl/8T
  security.ima=0sBAa/SpRDsU2c2pwqoIUyiVWqUZmpZ83lJzUHNwwPRD4/YnfwIRC3wlrmpzZLYs3l98Y+cI0mbJd/dngau8SQ6hX+

Audit syslog message:
pid=41020 uid=0 auid=1000 ses=3 op="appraise_data" cause="missing-hash" comm="cat" name="/test-yPVjX9" fowner=0 dev="dm-1" ino=18962 res=0

By some reason, with mkstemp, xattrs was added only on first read access.
Could you please help?

-- 
Best regards,
Mikhail Kurinnoi