| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090527140915.26efc70b.akpm@linux-foundation.org> Date: Wed, 27 May 2009 14:09:15 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: linux-kernel@...r.kernel.org, hooanon05@...oo.co.jp, "J. Bruce Fields" <bfields@...ldses.org>, James Morris <jmorris@...ei.org>, David Safford <safford@...son.ibm.com>, linux-nfs@...r.kernel.org, Mimi Zohar <zohar@...ibm.com>, Hugh Dickins <hugh.dickins@...cali.co.uk> Subject: Re: [PATCH v2] integrity: nfsd imbalance bug fix hugh@...itas.com is about to vanish - please update your address book to hugh.dickins@...cali.co.uk. On Wed, 27 May 2009 09:31:52 -0400 Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > An nfsd exported file is opened/closed by the kernel causing the > integrity imbalance message. > > Before a file is opened, there normally is permission checking, which > is done in inode_permission(). However, as integrity checking requires > a dentry and mount point, which is not available in inode_permission(), > the integrity (permission) checking must be called separately. > > In order to detect any missing integrity checking calls, we keep track > of file open/closes. ima_path_check() increments these counts and > does the integrity (permission) checking. As a result, the number of > calls to ima_path_check()/ima_file_free() should be balanced. An extra > call to fput(), indicates the file could have been accessed without first > calling ima_path_check(). > > In nfsv3 permission checking is done once, followed by multiple reads, > which do an open/close for each read. The integrity (permission) checking > call should be in nfsd_permission() after the inode_permission() call, but > as there is no correlation between the number of permission checking and > open calls, the integrity checking call should not increment the counters, > but defer it to when the file is actually opened. > > This patch adds: > - integrity (permission) checking for nfsd exported files in nfsd_permission(). > - a call to increment counts for files opened by nfsd. > > This patch has been updated to return the nfs error types. I have a note here that Hugh had some significant issues with the previous version of this patch. Were these problems addressed? If so, how? Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists