summaryrefslogtreecommitdiffstats
path: root/security/security.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-10-25 20:42:25 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2010-10-26 20:37:19 +0200
commitbade72d607c4eb1b1d6c7852c493b75f065a56b5 (patch)
tree95aafb198d9a8a08e6b7813de0403658e6a1b04a /security/security.c
parentIMA: explicit IMA i_flag to remove global lock on inode_delete (diff)
downloadlinux-bade72d607c4eb1b1d6c7852c493b75f065a56b5.tar.xz
linux-bade72d607c4eb1b1d6c7852c493b75f065a56b5.zip
IMA: fix the ToMToU logic
Current logic looks like this: rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); if (rc < 0) goto out; if (mode & FMODE_WRITE) { if (inode->i_readcount) send_tomtou = true; goto out; } if (atomic_read(&inode->i_writecount) > 0) send_writers = true; Lets assume we have a policy which states that all files opened for read by root must be measured. Lets assume the file has permissions 777. Lets assume that root has the given file open for read. Lets assume that a non-root process opens the file write. The non-root process will get to ima_counts_get() and will check the ima_must_measure(). Since it is not supposed to measure it will goto out. We should check the i_readcount no matter what since we might be causing a ToMToU voilation! This is close to correct, but still not quite perfect. The situation could have been that root, which was interested in the mesurement opened and closed the file and another process which is not interested in the measurement is the one holding the i_readcount ATM. This is just overly strict on ToMToU violations, which is better than not strict enough... Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/security.c')
0 files changed, 0 insertions, 0 deletions