On 2022/10/19 15:17, Guozihua (Scott) wrote:
On 2022/10/19 9:07, Mimi Zohar wrote:
On Tue, 2022-10-18 at 16:43 +0800, Guozihua (Scott) wrote:
On 2022/9/28 22:11, Mimi Zohar wrote:
After reviewing this patch set again, the code looks fine. The commit
message is still a bit off, but I've pushed the patch set out to next-
integrity-testing, waiting for some Reviewed-by/Tested-by tags.
Hi Mimi,
How's this patch going? I see Roberto is replying with a Reviewed-by.
I'd really like to see a "Tested-by" tag as well.
Are you able to force the scenario?
It's a race condition which could be hard to reproduce easily and in a
stable manner. I'll give it a try.
Hi Mimi,
I managed to re-produce this issue with the help of the following two
scripts:
read_tmp_measurement.sh:
#!/bin/bash
while true
do
cat /root/tmp.txt > /dev/null
measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp\.txt" | wc -l`
if [ "${measurement}" == "1" ]; then
echo "measurement found"
exit 1
fi
done
test.sh:
#!/bin/bash
echo "measure obj_user=system_u obj_role=object_r obj_type=unlabeled_t" > /sys/kernel/security/ima/policy
cat /root/tmp2.txt
measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp2\.txt" | wc -l`
[ "$measurement" == "1" ] && echo "measurement for tmp2 found"
cat /root/tmp.txt
measurement=`cat /sys/kernel/security/ima/ascii_runtime_measurements | grep "tmp\.txt" | wc -l`
[ "$measurement" == "1" ] && echo "measurement for tmp found, preparation failed!" && exit 1
./read_tmp_measurement.sh &
pid=$!
cd /usr/share/selinux/default
semodule -i clock.pp.bz2
semodule -r clock
kill ${pid}
I created two files tmp.txt and tmp2.txt, assign them with type
user_home_t and unlabeled_t respectively and then run test.sh.
On a multi-core environment, I managed to reproduce this issue pretty
easily and tested that once the solution is merged, the issue stops
happening.
--
Best
GUO Zihua
