| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jan 2022 12:04:13 -0500
From: Stefan Berger <stefanb@...ux.vnet.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v8 16/19] ima: Enable re-auditing of modified files
From: Stefan Berger <stefanb@...ux.ibm.com>
Walk the list of ns_status associated with an iint if the file has
changed and reset the IMA_AUDITED flag, which is part of the
IMA_DONE_MASK. This causes a new audit message to be emitted when the
file is again accessed on either the host or in an IMA namespace.
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
---
security/integrity/ima/ima_main.c | 33 ++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 99dc984b49c9..bc3ab08f39c6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -153,6 +153,35 @@ static void ima_rdwr_violation_check(struct ima_namespace *ns,
"invalid_pcr", "open_writers");
}
+#ifdef CONFIG_IMA_NS
+
+static void mask_iint_ns_status_flags(struct integrity_iint_cache *iint,
+ unsigned long mask)
+{
+ struct ns_status *status;
+ unsigned long flags;
+
+ read_lock(&iint->ns_list_lock);
+ list_for_each_entry(status, &iint->ns_list, ns_next) {
+ flags = iint_flags(iint, status) & mask;
+ set_iint_flags(iint, status, flags);
+ }
+ read_unlock(&iint->ns_list_lock);
+}
+
+#else
+
+static void mask_iint_ns_status_flags(struct integrity_iint_cache *iint,
+ unsigned long mask)
+{
+ unsigned long flags;
+
+ flags = iint_flags(iint, NULL) & mask;
+ set_iint_flags(iint, NULL, flags);
+}
+
+#endif
+
static void ima_check_last_writer(struct integrity_iint_cache *iint,
struct inode *inode, struct file *file)
{
@@ -169,8 +198,10 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
if (!IS_I_VERSION(inode) ||
!inode_eq_iversion(inode, iint->version) ||
(iint->flags & IMA_NEW_FILE)) {
- iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
+ mask_iint_ns_status_flags(iint,
+ ~(IMA_DONE_MASK | IMA_NEW_FILE));
iint->measured_pcrs = 0;
+
if (update)
ima_update_xattr(iint, file);
}
--
2.31.1
Powered by blists - more mailing lists