[PATCH 2/2] ima: limit the number of ToMToU integrity violations

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Wed, 19 Feb 2025 11:21:31 -0500

Each time a file in policy, that is already opened for read, is opened
for write a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
audit message is emitted and a violation record is added to the IMA
measurement list, even if a ToMToU violation has already been recorded.

Limit the number of ToMToU integrity violations for an existing file
open for read.

Note: The IMA_MUST_MEASURE atomic flag must be set from the reader side
based on policy.  This may result in a per open reader additional ToMToU
violation.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
 security/integrity/ima/ima_main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cde3ae55d654..f1671799a11b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -129,9 +129,10 @@ static void ima_rdwr_violation_check(struct file *file,
 		if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
 			if (!iint)
 				iint = ima_iint_find(inode);
+
 			/* IMA_MEASURE is set from reader side */
-			if (iint && test_bit(IMA_MUST_MEASURE,
-						&iint->atomic_flags))
+			if (iint && test_and_clear_bit(IMA_MUST_MEASURE,
+						       &iint->atomic_flags))
 				send_tomtou = true;
 		}
 	} else {
-- 
2.48.1








