| Message ID | 20250205033210.849509-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC,v2,1/2] ima: limit the number of open-writers integrity violations | expand |
On 2/4/25 10:32 PM, Mimi Zohar wrote: > Limit the number of open-writers integrity violation audit messages > and records in the IMA measurement list emitted when re-opening a > file for read. .. to only show one violation. (?) > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 14 ++++++++++++-- > 2 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index a4f284bd846c..7f21568544dd 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -182,6 +182,7 @@ struct ima_kexec_hdr { > #define IMA_CHANGE_ATTR 2 > #define IMA_DIGSIG 3 > #define IMA_MUST_MEASURE 4 > +#define IMA_LIMIT_VIOLATIONS 5 > > /* IMA integrity metadata associated with an inode */ > struct ima_iint_cache { > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 28b8b0db6f9b..5091ad931677 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -137,8 +137,16 @@ static void ima_rdwr_violation_check(struct file *file, > } else { > if (must_measure) > set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); iint is assumed to be here under, which is correct when must_measure is set since how the single caller of this function calls it. > - if (inode_is_open_for_write(inode) && must_measure) > - send_writers = true; > + > + if (inode_is_open_for_write(inode) && must_measure) { > + if (!iint) > + iint = ima_iint_find(inode); When must_measure is set, the case of iint == NULL should never occur here. > + > + /* Limit number of open_writers violations */ > + if (iint && !test_and_set_bit(IMA_LIMIT_VIOLATIONS, > + &iint->atomic_flags)) if (!test_and_set_bit(...)) > + send_writers = true; > + } > } > > if (!send_tomtou && !send_writers) > @@ -167,6 +175,8 @@ static void ima_check_last_writer(struct ima_iint_cache *iint, > if (atomic_read(&inode->i_writecount) == 1) { > struct kstat stat; > > + clear_bit(IMA_LIMIT_VIOLATIONS, &iint->atomic_flags); > + > update = test_and_clear_bit(IMA_UPDATE_XATTR, > &iint->atomic_flags); > if ((iint->flags & IMA_NEW_FILE) || I tested the two patches. For the file /usr/bin/foobar that's being measured on FILE_CHECK I get two violations for this sequence here: # exec 3>/usr/bin/foobar # exec 4</usr/bin/foobar # exec 3>/usr/bin/foobar This here now only emits one violation now. # exec 3>/usr/bin/foobar # exec 4</usr/bin/foobar # exec 4</usr/bin/foobar # exec 5</usr/bin/foobar # exec 6</usr/bin/foobar
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index a4f284bd846c..7f21568544dd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -182,6 +182,7 @@ struct ima_kexec_hdr { #define IMA_CHANGE_ATTR 2 #define IMA_DIGSIG 3 #define IMA_MUST_MEASURE 4 +#define IMA_LIMIT_VIOLATIONS 5 /* IMA integrity metadata associated with an inode */ struct ima_iint_cache { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 28b8b0db6f9b..5091ad931677 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -137,8 +137,16 @@ static void ima_rdwr_violation_check(struct file *file, } else { if (must_measure) set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); - if (inode_is_open_for_write(inode) && must_measure) - send_writers = true; + + if (inode_is_open_for_write(inode) && must_measure) { + if (!iint) + iint = ima_iint_find(inode); + + /* Limit number of open_writers violations */ + if (iint && !test_and_set_bit(IMA_LIMIT_VIOLATIONS, + &iint->atomic_flags)) + send_writers = true; + } } if (!send_tomtou && !send_writers) @@ -167,6 +175,8 @@ static void ima_check_last_writer(struct ima_iint_cache *iint, if (atomic_read(&inode->i_writecount) == 1) { struct kstat stat; + clear_bit(IMA_LIMIT_VIOLATIONS, &iint->atomic_flags); + update = test_and_clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); if ((iint->flags & IMA_NEW_FILE) ||
Limit the number of open-writers integrity violation audit messages and records in the IMA measurement list emitted when re-opening a file for read. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-)