On Fri, 2011-05-20 at 08:40 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@xxxxxxxxxxxxxxxxxx): > > On Thu, 2011-05-19 at 17:06 -0500, Serge E. Hallyn wrote: > > > Quoting Mimi Zohar (zohar@xxxxxxxxxxxxxxxxxx): > > > > Integrity appraisal measures files on file_free and stores the file > > > > measurement as an xattr. Measure the file before releasing it. > > > > > > Can you put a bit more in the commit msg about why? What's magic > > > about the fs-specific release function? > > > > ima_file_free(), called on __fput(), currently flags files that have > > changed, so that the file is re-measured. However, for appraising a > > files's integrity, flagging the file is not enough. The file's > > security.ima xattr must be updated to reflect any changes. This patch > > moves releasing the file to after calculating the new file hash. > > Sorry if I'm being dense, but I still don't understand (even though > apparently I used to :) why the fs release is magic here. The > dropping of the writelock comes later, so no file will be able to > open the file for execute or write until that point, meaning that > won't be happening without a re-measure with or without this patch. > > So you must be thinking something about general opens(), but I > don't believe that file_operations->release makes a difference to > another tasks's ability to open the file, nor to the writing out > of changed contents. > > security_file_free() doesn't appear to be hooked by ima or evm, > and if a security module changes its security.X xattr you'll > end up re-measuring the xattrs anyway. > > So I'm still missing something, sorry :) > > -serge No, my mistake. IMA-appraisal, not EVM, needs to be able to read the file in order to re-calculate the hash and update the 'security.ima' extended attribute. Will move this patch to the IMA patchset. thanks, Mimi > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx> > > > > Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx> > > > > --- > > > > fs/file_table.c | 2 +- > > > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > > > > > diff --git a/fs/file_table.c b/fs/file_table.c > > > > index 01e4c1e..33f54a1 100644 > > > > --- a/fs/file_table.c > > > > +++ b/fs/file_table.c > > > > @@ -243,10 +243,10 @@ static void __fput(struct file *file) > > > > if (file->f_op && file->f_op->fasync) > > > > file->f_op->fasync(-1, file, 0); > > > > } > > > > + ima_file_free(file); > > > > if (file->f_op && file->f_op->release) > > > > file->f_op->release(inode, file); > > > > security_file_free(file); > > > > - ima_file_free(file); > > > > if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL && > > > > !(file->f_mode & FMODE_PATH))) { > > > > cdev_put(inode->i_cdev); > > > > -- > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html