On 19.03.2019 14:22, Mimi Zohar wrote:
On Tue, 2019-03-19 at 10:50 +0300, Igor Zhbanov wrote:
Hi Mimi,
I guess similar to SELinux function:
[snip]
Remember IMA relies on LSMs for mandatory access control(MAC). IMA
measures, audits, and enforces file integrity.
Yes. But LSM will not check integrity of the file mmaped for read. Nor does
IMA.
The structure vm_area_struct has a pointer vm_file pointing to mapped file
so it could be used what file's xattrs to check.
That's fine for when there is a file descriptor, but the file
descriptor could have been closed. (Refer to the mmap manpage.)
Can it be checked?
I think that checking the integrity at least in the case when the file is
still open is better than not checking at all. Because as I said it would
be possible to use mmap+mprotect to bypass IMA for shared libraries checking.
