On Thu, 2024-11-28 at 11:06 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > According to man open.2, files opened with O_PATH are not really opened. The > obtained file descriptor is used to indicate a location in the filesystem > tree and to perform operations that act purely at the file descriptor > level. > > Thus, ignore open() syscalls with O_PATH, since IMA cares about file data. > > Cc: stable@xxxxxxxxxxxxxxx # v2.6.39.x > Fixes: 1abf0c718f15a ("New kind of open files - "location only".") > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Thanks, Roberto. Note: Ignoring open() with O_PATH impacts policies containing "func=FILE_CHECK" rules. Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > security/integrity/ima/ima_main.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 50b37420ea2c..712c3a522e6c 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -202,7 +202,8 @@ static void ima_file_free(struct file *file) > struct inode *inode = file_inode(file); > struct ima_iint_cache *iint; > > - if (!ima_policy_flag || !S_ISREG(inode->i_mode)) > + if (!ima_policy_flag || !S_ISREG(inode->i_mode) || > + (file->f_flags & O_PATH)) > return; > > iint = ima_iint_find(inode); > @@ -232,7 +233,8 @@ static int process_measurement(struct file *file, const struct > cred *cred, > enum hash_algo hash_algo; > unsigned int allowed_algos = 0; > > - if (!ima_policy_flag || !S_ISREG(inode->i_mode)) > + if (!ima_policy_flag || !S_ISREG(inode->i_mode) || > + (file->f_flags & O_PATH)) > return 0; > > /* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action