Until we start appraising measurements, the ima_path_check()
return code should always be 0.
- Update the ima_path_check() return code comment
- Instead of the pr_info, audit the dentry_open failure
Signed-off-by: Mimi Zohar <[email protected]>
---
security/integrity/ima/ima_main.c | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index a2eb233..6f61187 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -149,8 +149,8 @@ static void ima_update_counts(struct ima_iint_cache *iint, int mask)
* - Opening a file for read when already open for write,
* could result in a file measurement error.
*
- * Return 0 on success, an error code on failure.
- * (Based on the results of appraise_measurement().)
+ * Always return 0 and audit dentry_open failures.
+ * (Return code will be based upon measurement appraisal.)
*/
int ima_path_check(struct path *path, int mask, int update_counts)
{
@@ -189,8 +189,13 @@ int ima_path_check(struct path *path, int mask, int update_counts)
file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE,
current_cred());
if (IS_ERR(file)) {
- pr_info("%s dentry_open failed\n", dentry->d_name.name);
- rc = PTR_ERR(file);
+ int audit_info = 0;
+
+ integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
+ dentry->d_name.name,
+ "add_measurement",
+ "dentry_open failed",
+ 1, audit_info);
file = NULL;
goto out;
}
--
1.6.0.6
On Thu, 2009-06-04 at 13:53 -0400, Mimi Zohar wrote:
> Until we start appraising measurements, the ima_path_check()
> return code should always be 0.
>
> - Update the ima_path_check() return code comment
> - Instead of the pr_info, audit the dentry_open failure
>
> Signed-off-by: Mimi Zohar <[email protected]>
So I'm not a big fan of the needless stack variable declaration. This
isn't the only spot you do it (and sometimes you do actually make use of
the variable like ima_add_template_entry) but I'm guessing the compiler
will clean it up, so
Acked-by: Eric Paris <[email protected]>
>
> ---
> security/integrity/ima/ima_main.c | 13 +++++++++----
> 1 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index a2eb233..6f61187 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -149,8 +149,8 @@ static void ima_update_counts(struct ima_iint_cache *iint, int mask)
> * - Opening a file for read when already open for write,
> * could result in a file measurement error.
> *
> - * Return 0 on success, an error code on failure.
> - * (Based on the results of appraise_measurement().)
> + * Always return 0 and audit dentry_open failures.
> + * (Return code will be based upon measurement appraisal.)
> */
> int ima_path_check(struct path *path, int mask, int update_counts)
> {
> @@ -189,8 +189,13 @@ int ima_path_check(struct path *path, int mask, int update_counts)
> file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE,
> current_cred());
> if (IS_ERR(file)) {
> - pr_info("%s dentry_open failed\n", dentry->d_name.name);
> - rc = PTR_ERR(file);
> + int audit_info = 0;
> +
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode,
> + dentry->d_name.name,
> + "add_measurement",
> + "dentry_open failed",
> + 1, audit_info);
> file = NULL;
> goto out;
> }
On Thu, 4 Jun 2009, Mimi Zohar wrote:
> Until we start appraising measurements, the ima_path_check()
> return code should always be 0.
>
> - Update the ima_path_check() return code comment
> - Instead of the pr_info, audit the dentry_open failure
>
> Signed-off-by: Mimi Zohar <[email protected]>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next
--
James Morris
<[email protected]>