Received: by 10.223.164.202 with SMTP id h10csp2261249wrb; Sat, 18 Nov 2017 17:27:41 -0800 (PST) X-Google-Smtp-Source: AGs4zMbRe2+UmUl0exSXYrrKjSBLI1i8JJandt+IoKTyzPOialorLIx4l6PGuNMLuwC7QLBaU0Aq X-Received: by 10.98.213.71 with SMTP id d68mr5686745pfg.171.1511054861553; Sat, 18 Nov 2017 17:27:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511054861; cv=none; d=google.com; s=arc-20160816; b=lvE8fkeDhZUHeKzTXxbu71DUhxEFzQV1tIhWniZ8MQKCJTnwlUX7A7dUEmPSEIWVEi L32g1bsYENrDcHH+BJGXNF+ikGRCXT1PBcdkWINNTkwUs9kRT0bvaEjdYY2U7se7ZDc7 CCn5i4tDHlnVJ6AuJomdgAY50Er/Clok0d32qvE8j3FS+q3iMaeBS4ep1HNig4KIZI5m Yv+5O26i22uxcVbGyrF/QcE/LS1TQeapDzdk5RyVC7WYJBWksF69G3sKw2+Xgw1W3I8p 0eSiM9LXy24wUQDZjtxqfdCXvnqEqeS2uFcgD7q5sWEM0ozyIcGEukBFJroHgufEapld +GGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=GgqLpTZPwfU8gv8yuj0jQMm7Ar0HrXd4LZvfKNmrK/o=; b=qKtSzRb+Js4lgDaF1DhNioEGa1ORH4ZsG2WjTeo+zDVFxzHDF7M6PjGWDooHTAfaOy ytPkNoMgiT2AC2JbdSYs/sAIIm5/2R9/WiGryep0WUc0ZbhXa3+FFOKEY5bChbkUZDMu dyEebRKZ3Lhp4cSxLCSCRM28Io3uLfonLG2llxS8FZyAk5J/wcfLnTeHqqAKmvv2DCue 5zI+sfg7qnfJJY3K2nVTgR6GupIkrApX0Hg55QDhufJTPW4GYKyzGEjtilGmLsHZMt4g 2K5ZzIuDN8eSToD56KmV9PeudQPgsGB9WhyuYuUuu2JrhZCeQ6vHBZxiPKZErew71Ry0 anHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y188si5155336pgb.829.2017.11.18.17.27.28; Sat, 18 Nov 2017 17:27:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161428AbdKRE0C (ORCPT + 93 others); Fri, 17 Nov 2017 23:26:02 -0500 Received: from h2.hallyn.com ([78.46.35.8]:57700 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935453AbdKREZz (ORCPT ); Fri, 17 Nov 2017 23:25:55 -0500 Received: by h2.hallyn.com (Postfix, from userid 1001) id 464B512028B; Fri, 17 Nov 2017 22:25:53 -0600 (CST) Date: Fri, 17 Nov 2017 22:25:53 -0600 From: "Serge E. Hallyn" To: Roberto Sassu Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com Subject: Re: [PATCH v2 12/15] ima: do not update security.ima if appraisal status is not INTEGRITY_PASS Message-ID: <20171118042553.GB13456@mail.hallyn.com> References: <20171107103710.10883-1-roberto.sassu@huawei.com> <20171107103710.10883-13-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171107103710.10883-13-roberto.sassu@huawei.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 07, 2017 at 11:37:07AM +0100, Roberto Sassu wrote: > Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") > moved the call of ima_file_check() from may_open() to do_filp_open() at a > point where the file descriptor is already opened. > > This breaks the assumption made by IMA that file descriptors being closed > belong to files whose access was granted by ima_file_check(). The > consequence is that security.ima and security.evm are updated with good > values, regardless of the current appraisal status. > > For example, if a file does not have security.ima, IMA will create it after > opening the file for writing, even if access is denied. Access to the file > will be allowed afterwards. > > Avoid this issue by checking the appraisal status before updating > security.ima. > > Signed-off-by: Roberto Sassu IIUC this seems like a huge deal. Shouldn't this go in separately, asap? > --- > security/integrity/ima/ima_appraise.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index 285a53452fb5..1b2236e637ff 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -320,6 +320,9 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) > if (iint->flags & IMA_DIGSIG) > return; > > + if (iint->ima_file_status != INTEGRITY_PASS) > + return; > + > rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); > if (rc < 0) > return; > -- > 2.11.0 From 1583410704181694636@xxx Tue Nov 07 12:35:20 +0000 2017 X-GM-THRID: 1583410704181694636 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread