Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1520546740.3605.124.camel@linux.vnet.ibm.com>
Date: Thu, 08 Mar 2018 17:05:40 -0500
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Tycho Andersen <tycho@...ho.ws>
Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2] ima: drop vla in ima_audit_measurement()

On Thu, 2018-03-08 at 14:45 -0700, Tycho Andersen wrote:
> Hi Mimi,
> 
> On Thu, Mar 08, 2018 at 03:36:14PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 13:23 -0700, Tycho Andersen wrote:
> > 
> > >  /*
> > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > > index 2cfb0c714967..356faae6f09c 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -288,8 +288,11 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
> > >  					      xattr_value, xattr_len, opened);
> > >  		inode_unlock(inode);
> > >  	}
> > > -	if (action & IMA_AUDIT)
> > > -		ima_audit_measurement(iint, pathname);
> > > +	if (action & IMA_AUDIT) {
> > > +		rc = ima_audit_measurement(iint, pathname);
> > > +		if (rc < 0)
> > > +			goto out_locked;
> > > +	}
> > > 
> > >  	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
> > >  		rc = 0;
> > 
> > Only when IMA-appraisal is enforcing file data integrity should
> > process_measurement() ever fail.  Other errors can be logged/audited.
> 
> Ok, so previously in ima_audit_measurement() when allocation failed,
> there was nothing logged. If we just keep this behavior like below,
> does that look good?

Before the IMA locking change that were just upstreamed, there were
problems with measuring/appraising files that were opened with the
O_DIRECT flag.  Unless the IMA policy specified permit_directio, the
measurement/appraisal failed.  With the new locking, opening files
with the O_DIRECTIO flag shouldn't be a problem.  It just needs to be
fully tested before removing this code.

On failure, the code below tests the ima_audit_measurement() result
and skips the IMA_PERMIT_DIRECTIO test.  Unless I'm missing something,
I don't see the point.

Mimi


> Thanks!
> 
> Tycho
> 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 356faae6f09c..4e699bc7adc5 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -289,9 +289,13 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
>  		inode_unlock(inode);
>  	}
>  	if (action & IMA_AUDIT) {
> -		rc = ima_audit_measurement(iint, pathname);
> -		if (rc < 0)
> +		int ret;
> +
> +		ret = ima_audit_measurement(iint, pathname);
> +		if (ret < 0 && ima_appraise & IMA_APPRAISE_ENFORCE) {
> +			rc = ret;
>  			goto out_locked;
> +		}
>  	}
> 
>  	if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.