| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Mar 2021 16:03:57 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: linux-integrity@...r.kernel.org, Test <test@...alhost.localdomain>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
linux-security-module <linux-security-module@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Eric Biggers <ebiggers@...nel.org>,
Mimi Zohar <zohar@...ux.ibm.com>
Subject: [RFC PATCH 1/2] ima: don't access a file's integrity status before an IMA policy is loaded
From: Test <test@...alhost.localdomain>
Only after an IMA policy is loaded, check, save, or update the cached
file's integrity status.
Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
---
security/integrity/ima/ima_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 9ef748ea829f..9d1196f712e1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -606,6 +606,9 @@ void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
struct integrity_iint_cache *iint;
int must_appraise;
+ if (!ima_policy_flag || !S_ISREG(inode->i_mode))
+ return;
+
must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS,
FILE_CHECK);
if (!must_appraise)
@@ -636,6 +639,9 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns,
struct inode *inode = dentry->d_inode;
int must_appraise;
+ if (!ima_policy_flag || !S_ISREG(inode->i_mode))
+ return;
+
must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS,
FILE_CHECK);
if (!must_appraise)
--
2.27.0
Powered by blists - more mailing lists