Limit the number of open-writers integrity violation audit messages
and records in the IMA measurement list emitted when re-opening a
file for read.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_main.c | 14 ++++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index a4f284bd846c..7f21568544dd 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -182,6 +182,7 @@ struct ima_kexec_hdr {
#define IMA_CHANGE_ATTR 2
#define IMA_DIGSIG 3
#define IMA_MUST_MEASURE 4
+#define IMA_LIMIT_VIOLATIONS 5
/* IMA integrity metadata associated with an inode */
struct ima_iint_cache {
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 28b8b0db6f9b..5091ad931677 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -137,8 +137,16 @@ static void ima_rdwr_violation_check(struct file *file,
} else {
if (must_measure)
set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
- if (inode_is_open_for_write(inode) && must_measure)
- send_writers = true;
+
+ if (inode_is_open_for_write(inode) && must_measure) {
+ if (!iint)
+ iint = ima_iint_find(inode);
+
+ /* Limit number of open_writers violations */
+ if (iint && !test_and_set_bit(IMA_LIMIT_VIOLATIONS,
+ &iint->atomic_flags))
+ send_writers = true;
+ }
}
if (!send_tomtou && !send_writers)
@@ -167,6 +175,8 @@ static void ima_check_last_writer(struct ima_iint_cache *iint,
if (atomic_read(&inode->i_writecount) == 1) {
struct kstat stat;
+ clear_bit(IMA_LIMIT_VIOLATIONS, &iint->atomic_flags);
+
update = test_and_clear_bit(IMA_UPDATE_XATTR,
&iint->atomic_flags);
if ((iint->flags & IMA_NEW_FILE) ||
--
2.48.1
