From: Dave Hansen <dave@linux.vnet.ibm.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
James Morris <jmorris@namei.org>,
Christoph Hellwig <hch@infradead.org>,
Al Viro <viro@ZenIV.linux.org.uk>,
David Safford <safford@watson.ibm.com>,
Serge Hallyn <serue@linux.vnet.ibm.com>,
Mimi Zohar <zohar@us.ibm.com>, Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH 3/4] integrity: IMA as an integrity service provider
Date: Fri, 21 Nov 2008 09:38:50 -0800 [thread overview]
Message-ID: <1227289130.11607.30.camel@nimitz> (raw)
In-Reply-To: <1227231596.2819.102.camel@localhost.localdomain>
On Thu, 2008-11-20 at 20:39 -0500, Mimi Zohar wrote:
> On Thu, 2008-11-20 at 13:22 -0800, Dave Hansen wrote:
> > On Thu, 2008-11-20 at 11:43 -0500, Mimi Zohar wrote:
> > >
> > > + /* Invalidate PCR, if a measured file is already open for read
> > > */
> > > + if ((mask == MAY_WRITE) || (mask == MAY_APPEND)) {
> > > + int mask_sav = data->mask;
> > > + int rc;
> > > +
> > > + data->mask = MAY_READ;
> > > + rc = ima_must_measure(&idata);
> > > + if (!rc) {
> > > + if (atomic_read(&(data->dentry->d_count)) - 1 >
> > > + atomic_read(&(inode->i_writecount)))
> > > + ima_add_violation(inode, data->filename,
> > > + "invalid_pcr", "ToMToU");
> > > + }
> > > + data->mask = mask_sav;
> > > + goto out;
> > > + }
> >
> > Following up on Christoph's comment...
> >
> > I'm worried that this calculation isn't very precise. The calculation
> > that you're trying to come up with here is the number of opens (d_count)
> > vs. the number of writers (i_writecount). When they don't match, you
> > know that the new open is the first write, and you must 'invalidate the
> > PCR'?
> >
> > There are a number of things that elevate d_count, and it is a lot more
> > than just an open() that can do it. Is that OK?
>
> >From an integrity perspective, a file measurement might be invalidated
> unnecessarily, but it is safe. For any file when opened for write, while
> having an existing reader, will cause the file measurement to be
> invalidated. Can you give examples of things, other than open(), that
> elevate d_count?
Just do a little search for dget(). There are plenty of places that
we'll do a lookup (and a dget), realize that we can't complete an
operation (say O_RDWR on a 400 file), then dput() the dentry. If you
look at dput at the wrong time, you could mistake that for an *actual*
open.
Are you holding any locks here? If not, it is completely conceivable
that you do the atomic_read(d_count)=100, then by the time you do the
aomtic_read(i_writecount), 90 of those references have been dput()'d.
> Is there a different, better way to determine if there are any readers?
I think you're looking at it from the wrong angle. If you have a
writer, does it matter whether there are any readers? You should just
unconditionally invalidate the integrity measurement.
-- Dave
next prev parent reply other threads:[~2008-11-21 17:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-20 16:43 [PATCH 0/4] integrity Mimi Zohar
2008-11-20 16:43 ` [PATCH 1/4] integrity: TPM internel kernel interface Mimi Zohar
2008-11-20 16:43 ` [PATCH 2/4] integrity: Linux Integrity Module(LIM) Mimi Zohar
2008-11-20 17:45 ` Christoph Hellwig
2008-11-20 19:21 ` david safford
2008-11-20 19:26 ` Christoph Hellwig
2008-11-21 12:37 ` david safford
2008-11-21 17:45 ` Dave Hansen
2008-11-21 17:46 ` Dave Hansen
2008-11-21 19:10 ` Mimi Zohar
2008-11-21 17:48 ` Dave Hansen
2008-11-21 19:09 ` Mimi Zohar
2008-11-21 17:53 ` Dave Hansen
2008-11-21 19:10 ` Mimi Zohar
2008-11-20 16:43 ` [PATCH 3/4] integrity: IMA as an integrity service provider Mimi Zohar
2008-11-20 18:15 ` Christoph Hellwig
2008-11-20 20:52 ` Mimi Zohar
2008-11-21 1:42 ` Mimi Zohar
2008-11-20 21:22 ` Dave Hansen
2008-11-21 1:39 ` Mimi Zohar
2008-11-21 17:38 ` Dave Hansen [this message]
2008-11-20 16:43 ` [PATCH 4/4] integrity: replace task uid with cred uid Mimi Zohar
2008-11-21 17:42 ` [PATCH 0/4] integrity Dave Hansen
-- strict thread matches above, loose matches on Subject: below --
2008-11-13 3:47 Mimi Zohar
2008-11-13 3:47 ` [PATCH 3/4] integrity: IMA as an integrity service provider Mimi Zohar
2008-11-14 22:15 ` Andrew Morton
2008-11-17 19:05 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1227289130.11607.30.camel@nimitz \
--to=dave@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=hch@infradead.org \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=safford@watson.ibm.com \
--cc=serue@linux.vnet.ibm.com \
--cc=viro@ZenIV.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox