From bc15ed663e7e53ee4dc3e60f8d09c93a0528c694 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 17 Jan 2017 06:45:41 -0500 Subject: ima: fix ima_d_path() possible race with rename On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro Signed-off-by: Mimi Zohar Cc: stable@vger.kernel.org --- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_api.c | 20 ++++++++++++++++++-- security/integrity/ima/ima_main.c | 8 +++++--- 3 files changed, 24 insertions(+), 6 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 5e6180a4da7d..b563fbd4d122 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -204,7 +204,7 @@ int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, const unsigned char *filename, int pcr); void ima_free_template_entry(struct ima_template_entry *entry); -const char *ima_d_path(const struct path *path, char **pathbuf); +const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); /* IMA policy related functions */ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 9df26a2b75ba..d01a52f8f708 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -318,7 +318,17 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, iint->flags |= IMA_AUDITED; } -const char *ima_d_path(const struct path *path, char **pathbuf) +/* + * ima_d_path - return a pointer to the full pathname + * + * Attempt to return a pointer to the full pathname for use in the + * IMA measurement list, IMA audit records, and auditing logs. + * + * On failure, return a pointer to a copy of the filename, not dname. + * Returning a pointer to dname, could result in using the pointer + * after the memory has been freed. + */ +const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) { char *pathname = NULL; @@ -331,5 +341,11 @@ const char *ima_d_path(const struct path *path, char **pathbuf) pathname = NULL; } } - return pathname ?: (const char *)path->dentry->d_name.name; + + if (!pathname) { + strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); + pathname = namebuf; + } + + return pathname; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 50818c60538b..d5e492bd2899 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -83,6 +83,7 @@ static void ima_rdwr_violation_check(struct file *file, const char **pathname) { struct inode *inode = file_inode(file); + char filename[NAME_MAX]; fmode_t mode = file->f_mode; bool send_tomtou = false, send_writers = false; @@ -102,7 +103,7 @@ static void ima_rdwr_violation_check(struct file *file, if (!send_tomtou && !send_writers) return; - *pathname = ima_d_path(&file->f_path, pathbuf); + *pathname = ima_d_path(&file->f_path, pathbuf, filename); if (send_tomtou) ima_add_violation(file, *pathname, iint, @@ -161,6 +162,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size, struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc; char *pathbuf = NULL; + char filename[NAME_MAX]; const char *pathname = NULL; int rc = -ENOMEM, action, must_appraise; int pcr = CONFIG_IMA_MEASURE_PCR_IDX; @@ -239,8 +241,8 @@ static int process_measurement(struct file *file, char *buf, loff_t size, goto out_digsig; } - if (!pathname) /* ima_rdwr_violation possibly pre-fetched */ - pathname = ima_d_path(&file->f_path, &pathbuf); + if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ + pathname = ima_d_path(&file->f_path, &pathbuf, filename); if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname, -- cgit From 20f482ab9e0f800d1e01ce748ebd382d085abe56 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Fri, 6 Jan 2017 12:38:11 +0800 Subject: ima: allow to check MAY_APPEND Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_api.c | 3 ++- security/integrity/ima/ima_main.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d01a52f8f708..c2edba8de35e 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -157,7 +157,8 @@ err_out: /** * ima_get_action - appraise & measure decision based on policy. * @inode: pointer to inode to measure - * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) + * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, + * MAY_APPEND) * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr= * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d5e492bd2899..2aebb7984437 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -309,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm) /** * ima_path_check - based on policy, collect/store measurement. * @file: pointer to the file to be measured - * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE + * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND * * Measure files based on the ima_must_measure() policy decision. * @@ -319,8 +319,8 @@ int ima_bprm_check(struct linux_binprm *bprm) int ima_file_check(struct file *file, int mask, int opened) { return process_measurement(file, NULL, 0, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC), - FILE_CHECK, opened); + mask & (MAY_READ | MAY_WRITE | MAY_EXEC | + MAY_APPEND), FILE_CHECK, opened); } EXPORT_SYMBOL_GPL(ima_file_check); -- cgit