From: Stefan Berger <stefanb@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: roberto.sassu@huawei.com, Petr Vorel <pvorel@suse.cz>
Subject: Re: [PATCH 1/2] ima: limit the number of open-writers integrity violations
Date: Thu, 20 Feb 2025 10:24:06 -0500 [thread overview]
Message-ID: <8bebd73a-8950-40c6-92e1-493354b2480c@linux.ibm.com> (raw)
In-Reply-To: <20250219162131.416719-2-zohar@linux.ibm.com>
On 2/19/25 11:21 AM, Mimi Zohar wrote:
> Each time a file in policy, that is already opened for write, is opened
> for read an open-writers integrity violation audit message is emitted
> and a violation record is added to the IMA measurement list, even if an
> open-writers violation has already been recorded.
>
> Limit the number of open-writers integrity violations for an existing
> file open for write to one. After the existing file open for write
> closes (__fput), subsequent open-writers integrity violations may occur.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> Change log v1:
> - Basesd on Stefan's RFC comments, updated the patch description and code.
>
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_main.c | 11 +++++++++--
> 2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index a4f284bd846c..7f21568544dd 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -182,6 +182,7 @@ struct ima_kexec_hdr {
> #define IMA_CHANGE_ATTR 2
> #define IMA_DIGSIG 3
> #define IMA_MUST_MEASURE 4
> +#define IMA_LIMIT_VIOLATIONS 5
>
> /* IMA integrity metadata associated with an inode */
> struct ima_iint_cache {
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 28b8b0db6f9b..cde3ae55d654 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -137,8 +137,13 @@ static void ima_rdwr_violation_check(struct file *file,
> } else {
> if (must_measure)
> set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
> - if (inode_is_open_for_write(inode) && must_measure)
> - send_writers = true;
> +
> + /* Limit number of open_writers violations */
> + if (inode_is_open_for_write(inode) && must_measure) {
> + if (!test_and_set_bit(IMA_LIMIT_VIOLATIONS,
> + &iint->atomic_flags))
> + send_writers = true;
> + }
> }
>
> if (!send_tomtou && !send_writers)
> @@ -167,6 +172,8 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
> if (atomic_read(&inode->i_writecount) == 1) {
> struct kstat stat;
>
> + clear_bit(IMA_LIMIT_VIOLATIONS, &iint->atomic_flags);
> +
> update = test_and_clear_bit(IMA_UPDATE_XATTR,
> &iint->atomic_flags);
> if ((iint->flags & IMA_NEW_FILE) ||
> --
> 2.48.1
>
next prev parent reply other threads:[~2025-02-20 15:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-19 16:21 [PATCH 0/2] ima: limit both open-writers and ToMToU violations Mimi Zohar
2025-02-19 16:21 ` [PATCH 1/2] ima: limit the number of open-writers integrity violations Mimi Zohar
2025-02-20 15:24 ` Stefan Berger [this message]
2025-02-20 18:26 ` Petr Vorel
2025-02-21 8:18 ` Petr Vorel
2025-02-21 16:56 ` Roberto Sassu
2025-02-19 16:21 ` [PATCH 2/2] ima: limit the number of ToMToU " Mimi Zohar
2025-02-20 15:24 ` Stefan Berger
2025-02-20 18:27 ` Petr Vorel
2025-02-21 8:18 ` Petr Vorel
2025-02-21 17:36 ` Roberto Sassu
2025-02-26 19:19 ` Mimi Zohar
2025-02-27 8:34 ` Roberto Sassu
2025-02-21 16:49 ` [PATCH 0/2] ima: limit both open-writers and ToMToU violations Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8bebd73a-8950-40c6-92e1-493354b2480c@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox