Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

Mon, 12 May 2014 16:29:20 -0700 

Reposting unmangled version ...

As a temporary fix, do not measure, appraise, or audit files
opened with the O_DIRECT flag set.  Just audit log it.

Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: <sta...@vger.kernel.org>
---
 security/integrity/ima/ima_api.c  | 10 +++++++++-
 security/integrity/ima/ima_main.c |  5 ++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d7..d719978 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
                            struct evm_ima_xattr_data **xattr_value,
                            int *xattr_len)
 {
+       const char *audit_cause = "failed";
        struct inode *inode = file_inode(file);
        const char *filename = file->f_dentry->d_name.name;
        int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
        if (!(iint->flags & IMA_COLLECTED)) {
                u64 i_version = file_inode(file)->i_version;
 
+               if (file->f_flags & O_DIRECT) {
+                       audit_cause = "failed(directio)";
+                       result = -EACCES;
+                       goto out;
+               }
+       
                /* use default hash algorithm */
                hash.hdr.algo = ima_hash_algo;
 
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
                                result = -ENOMEM;
                }
        }
+out:
        if (result)
                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
-                                   filename, "collect_data", "failed",
+                                   filename, "collect_data", audit_cause,
                                    result, 0);
        return result;
 }
diff --git a/security/integrity/ima/ima_main.c 
b/security/integrity/ima/ima_main.c
index 654111f..3e5b732 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const 
char *filename,
                xattr_ptr = &xattr_value;
 
        rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
-       if (rc != 0)
+       if (rc != 0) { 
+               if (file->f_flags & O_DIRECT)
+                       rc = 0;
                goto out_digsig;
+       }
 
        pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
 
-- 
1.8.1.4



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to