• Roberto Sassu's avatar
    ima: detect violations for mmaped files · 1b68bdf9
    Roberto Sassu authored
    This patch fixes the detection of the 'open_writers' violation for mmaped
    files.
    
    before) an 'open_writers' violation is detected if the policy contains
            a rule with the criteria: func=FILE_CHECK mask=MAY_READ
    
    after) an 'open_writers' violation is detected if the current event
           matches one of the policy rules.
    
    With the old behaviour, the 'open_writers' violation is not detected
    in the following case:
    
    policy:
    measure func=FILE_MMAP mask=MAY_EXEC
    
    steps:
    1) open a shared library for writing
    2) execute a binary that links that shared library
    3) during the binary execution, modify the shared library and save
       the change
    
    result:
    the 'open_writers' violation measurement is not present in the IMA list.
    
    Only binaries executed are protected from writes. For libraries mapped
    in memory there is the flag MAP_DENYWRITE for this purpose, but according
    to the output of 'man mmap', the mmap flag is ignored.
    
    Since ima_rdwr_violation_check() is now called by process_measurement()
    the information about if the inode must be measured is already provided
    by ima_get_action(). Thus the unnecessary function ima_must_measure()
    has been removed.
    
    Changes in v3 (Dmitry Kasatkin):
    - Violation for MMAP_CHECK function are verified since this patch
    - Changed patch description a bit
    Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
    Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    1b68bdf9
ima_main.c 9.55 KB