linux_dsm_epyc7002/security/integrity/ima
Roberto Sassu f7a859ff73 ima: fix race condition on ima_rdwr_violation_check and process_measurement
This patch fixes a race condition between two functions that try to access
the same inode. Since the i_mutex lock is held and released separately
in the two functions, there may be the possibility that a violation is
not correctly detected.

Suppose there are two processes, A (reader) and B (writer), if the
following sequence happens:

A: ima_rdwr_violation_check()
B: ima_rdwr_violation_check()
B: process_measurement()
B: starts writing the inode
A: process_measurement()

the ToMToU violation (a reader may be accessing a content different from
that measured, due to a concurrent modification by a writer) will not be
detected. To avoid this issue, the violation check and the measurement
must be done atomically.

This patch fixes the problem by moving the violation check inside
process_measurement() when the i_mutex lock is held. Differently from
the old code, the violation check is executed also for the MMAP_CHECK
hook (other than for FILE_CHECK). This allows to detect ToMToU violations
that are possible because shared libraries can be opened for writing
while they are in use (according to the output of 'man mmap', the mmap()
flag MAP_DENYWRITE is ignored).

Changes in v5 (Roberto Sassu):
* get iint if action is not zero
* exit process_measurement() after the violation check if action is zero
* reverse order process_measurement() exit cleanup (Mimi)

Changes in v4 (Dmitry Kasatkin):
* iint allocation is done before calling ima_rdrw_violation_check()
  (Suggested-by Mimi)
* do not check for violations if the policy does not contain 'measure'
  rules (done by Roberto Sassu)

Changes in v3 (Dmitry Kasatkin):
* no violation checking for MMAP_CHECK function in this patch
* remove use of filename from violation
* removes checking if ima is enabled from ima_rdrw_violation_check
* slight style change

Suggested-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-09-18 10:03:55 -04:00
..
ima_api.c ima: remove usage of filename parameter 2014-09-09 10:28:52 -04:00
ima_appraise.c ima: added ima_policy_flag variable 2014-09-17 16:39:36 -04:00
ima_crypto.c ima: add missing '__init' keywords 2014-09-09 10:28:50 -04:00
ima_fs.c integrity: fix checkpatch errors 2014-03-07 12:15:45 -05:00
ima_init.c ima: return an error code from ima_add_boot_aggregate() 2014-09-17 16:15:42 -04:00
ima_main.c ima: fix race condition on ima_rdwr_violation_check and process_measurement 2014-09-18 10:03:55 -04:00
ima_policy.c ima: added ima_policy_flag variable 2014-09-17 16:39:36 -04:00
ima_queue.c integrity: fix checkpatch errors 2014-03-07 12:15:45 -05:00
ima_template_lib.c ima: reduce memory usage when a template containing the n field is used 2014-03-07 11:32:30 -05:00
ima_template_lib.h ima: extend the measurement list to include the file signature 2013-10-31 20:19:35 -04:00
ima_template.c ima: initialize only required template 2014-09-09 10:28:54 -04:00
ima.h ima: added ima_policy_flag variable 2014-09-17 16:39:36 -04:00
Kconfig integrity: base integrity subsystem kconfig options on integrity 2014-09-09 10:28:56 -04:00
Makefile ima: define template fields library and new helpers 2013-10-25 17:17:05 -04:00