lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1405462329.2124.12.camel@dhcp-9-2-203-236.watson.ibm.com>
Date:	Tue, 15 Jul 2014 18:12:09 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Dmitry Kasatkin <d.kasatkin@...sung.com>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-security-module@...r.kernel.org, viro@...iv.linux.org.uk,
	linux-ima-devel@...ts.sourceforge.net
Subject: Re: [Linux-ima-devel] [PATCH v1 1/3] ima: provide flag to identify
 new empty files

On Tue, 2014-07-15 at 10:00 -0400, Mimi Zohar wrote: 
> On Fri, 2014-07-11 at 14:46 +0300, Dmitry Kasatkin wrote: 
> > Newly created empty files do not get initial security.ima
> > value because iversion does not change. It can be checked from
> > the shell as:
> > 
> >   $ (exec >foo)
> >   $ getfattr -h -e hex -d -m security foo

This is a change in behavior.  Please include the commit number that
introduced this change in the patch description.

Mimi

> > This patch defines IMA_NEW_FILE flag which is set when IMA detects that new
> > file is created. It is checked upon ima_file_free hook to set initial
> > security.ima value.
> 
> Other than rebasing on top of #next, this patch set looks good.
> 
> thanks,
> 
> Mimi
> 
> > Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
> 
> > ---
> >  security/integrity/ima/ima_appraise.c |  7 +++++--
> >  security/integrity/ima/ima_main.c     | 12 +++++++-----
> >  security/integrity/integrity.h        |  1 +
> >  3 files changed, 13 insertions(+), 7 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index 9dd18b5..3a4beb3 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -194,8 +194,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
> >  			goto out;
> > 
> >  		cause = "missing-hash";
> > -		status =
> > -		    (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
> > +		status = INTEGRITY_NOLABEL;
> > +		if (inode->i_size == 0) {
> > +			iint->flags |= IMA_NEW_FILE;
> > +			status = INTEGRITY_PASS;
> > +		}
> >  		goto out;
> >  	}
> > 
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index e51e0d5..5a870e7 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -124,11 +124,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
> >  		return;
> > 
> >  	mutex_lock(&iint->mutex);
> > -	if (atomic_read(&inode->i_writecount) == 1 &&
> > -	    iint->version != inode->i_version) {
> > -		iint->flags &= ~IMA_DONE_MASK;
> > -		if (iint->flags & IMA_APPRAISE)
> > -			ima_update_xattr(iint, file);
> > +	if (atomic_read(&inode->i_writecount) == 1) {
> > +		if ((iint->version != inode->i_version) ||
> > +		    (iint->flags & IMA_NEW_FILE)) {
> > +			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
> > +			if (iint->flags & IMA_APPRAISE)
> > +				ima_update_xattr(iint, file);
> > +		}
> >  	}
> >  	mutex_unlock(&iint->mutex);
> >  }
> > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> > index 92c1083..7656d47 100644
> > --- a/security/integrity/integrity.h
> > +++ b/security/integrity/integrity.h
> > @@ -30,6 +30,7 @@
> >  #define IMA_ACTION_FLAGS	0xff000000
> >  #define IMA_DIGSIG_REQUIRED	0x01000000
> >  #define IMA_PERMIT_DIRECTIO	0x02000000
> > +#define IMA_NEW_FILE		0x04000000
> > 
> >  #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
> >  				 IMA_APPRAISE_SUBMASK)
> 
> 
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Linux-ima-devel mailing list
> Linux-ima-devel@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ