From: Eric Paris <eparis@redhat.com>
To: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Cc: hch@infradead.org, zohar@us.ibm.com, warthog9@kernel.org,
david@fromorbit.com, jmorris@namei.org, kyle@mcmartin.ca,
hpa@zytor.com, akpm@linux-foundation.org,
torvalds@linux-foundation.org, mingo@elte.hu, eparis@redhat.com,
viro@zeniv.linux.org.uk
Subject: [PATCH 11/11] IMA: fix the ToMToU logic
Date: Mon, 25 Oct 2010 14:42:25 -0400 [thread overview]
Message-ID: <20101025184225.20504.18427.stgit@paris.rdu.redhat.com> (raw)
In-Reply-To: <20101025184118.20504.24290.stgit@paris.rdu.redhat.com>
Current logic looks like this:
rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
if (rc < 0)
goto out;
if (mode & FMODE_WRITE) {
if (inode->i_readcount)
send_tomtou = true;
goto out;
}
if (atomic_read(&inode->i_writecount) > 0)
send_writers = true;
Lets assume we have a policy which states that all files opened for read by
root must be measured.
Lets assume the file has permissions 777.
Lets assume that root has the given file open for read.
Lets assume that a non-root process opens the file write.
The non-root process will get to ima_counts_get() and will check the
ima_must_measure(). Since it is not supposed to measure it will goto out.
We should check the i_readcount no matter what since we might be causing a
ToMToU voilation!
This is close to correct , but still not quite perfect. The situation could have
been that root, which was interested in the mesurement opened and closed the
file and another process which is not interested in the measurement is the one
holding the i_readcount ATM. This is just overly strict on ToMToU violations,
which is better than not strict enough...
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
security/integrity/ima/ima_main.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 60dd615..203de97 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -112,22 +112,23 @@ void ima_counts_get(struct file *file)
if (!ima_initialized)
goto out;
- rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
- if (rc < 0)
- goto out;
-
if (mode & FMODE_WRITE) {
- if (inode->i_readcount)
+ if (inode->i_readcount && IS_IMA(inode))
send_tomtou = true;
goto out;
}
+ rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
+ if (rc < 0)
+ goto out;
+
if (atomic_read(&inode->i_writecount) > 0)
send_writers = true;
out:
/* remember the vfs deals with i_writecount */
if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
inode->i_readcount++;
+
spin_unlock(&inode->i_lock);
if (send_tomtou)
next prev parent reply other threads:[~2010-10-25 18:43 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-25 18:41 [PATCH 01/11] IMA: use rbtree instead of radix tree for inode information cache Eric Paris
2010-10-25 18:41 ` [PATCH 02/11] IMA: drop the inode opencount since it isn't needed for operation Eric Paris
2010-10-25 18:41 ` [PATCH 03/11] IMA: use unsigned int instead of long for counters Eric Paris
2010-10-25 18:41 ` [PATCH 04/11] IMA: convert internal flags from long to char Eric Paris
2010-10-25 18:41 ` [PATCH 05/11] IMA: use inode->i_lock to protect read and write counters Eric Paris
2010-10-25 18:41 ` [PATCH 06/11] IMA: use i_writecount rather than a private counter Eric Paris
2010-10-25 19:27 ` John Stoffel
2010-10-25 21:52 ` Eric Paris
2010-10-25 22:25 ` H. Peter Anvin
2010-10-25 22:29 ` Eric Paris
2010-10-26 13:57 ` John Stoffel
2010-10-26 13:53 ` John Stoffel
2010-10-26 22:08 ` H. Peter Anvin
2010-10-25 18:41 ` [PATCH 07/11] IMA: move read counter into struct inode Eric Paris
2010-10-25 18:42 ` [PATCH 08/11] IMA: only allocate iint when needed Eric Paris
2010-10-25 18:42 ` [PATCH 09/11] IMA: drop refcnt from ima_iint_cache since it isn't needed Eric Paris
2010-10-25 18:42 ` [PATCH 10/11] IMA: explicit IMA i_flag to remove global lock on inode_delete Eric Paris
2010-10-25 18:42 ` Eric Paris [this message]
2010-10-25 19:21 ` [PATCH 01/11] IMA: use rbtree instead of radix tree for inode information cache John Stoffel
2010-10-25 19:38 ` J.H.
2010-10-25 20:55 ` Linus Torvalds
2010-10-25 20:57 ` Christoph Hellwig
2010-10-25 21:11 ` Linus Torvalds
2010-10-26 14:01 ` John Stoffel
2010-10-26 15:22 ` Linus Torvalds
2010-10-26 15:30 ` Eric Paris
2010-10-26 15:53 ` John Stoffel
2010-10-26 18:13 ` Al Viro
2010-10-27 13:35 ` James Morris
2010-10-26 14:07 ` John Stoffel
2010-10-25 21:34 ` Eric Paris
2010-10-26 13:45 ` John Stoffel
2010-10-25 23:22 ` Dave Chinner
2010-10-26 0:12 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101025184225.20504.18427.stgit@paris.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=kyle@mcmartin.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=warthog9@kernel.org \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).