subject:"\[RFC PATCH\] ima\: audit log files opened with O

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-13 Thread Mimi Zohar

On Tue, 2014-05-13 at 16:19 +0900, J. R. Okajima wrote: 
> Mimi Zohar:
> > As a temporary fix, do not measure, appraise, or audit files
> > opened with the O_DIRECT flag set.  Just audit log it.
> 
> I have no objection about the patch, but have a question.
> Are you intending to put it into mainline now (and stable too)? Or is
> this a local bandage for whoever have met the problem (like me)?

Yes, for the time being.

> In other words, should I wait for another lock free solution from Dmitry
> Kasatkin?

In addition to the lockdep issue, there is a separate problem of reading
the file opened w/O_DIRECT flag.  Dmitry is about to post two patches,
with a detailed explanation.  The first patch re-introduces the
iint->mutex.  The other patch reads the file opened w/O_DIRECT flag.
Neither patch is trivial.

> By the way, the mail is not delivered to stable-ML while there is
> "Cc: stable..." line in the commit log.

The CC shouldn't have been included in an RFC.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-13 Thread J. R. Okajima


Mimi Zohar:
> As a temporary fix, do not measure, appraise, or audit files
> opened with the O_DIRECT flag set.  Just audit log it.

I have no objection about the patch, but have a question.
Are you intending to put it into mainline now (and stable too)? Or is
this a local bandage for whoever have met the problem (like me)?
In other words, should I wait for another lock free solution from Dmitry
Kasatkin?

By the way, the mail is not delivered to stable-ML while there is
"Cc: stable..." line in the commit log.


J. R. Okajima
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-13 Thread J. R. Okajima


Mimi Zohar:
 As a temporary fix, do not measure, appraise, or audit files
 opened with the O_DIRECT flag set.  Just audit log it.

I have no objection about the patch, but have a question.
Are you intending to put it into mainline now (and stable too)? Or is
this a local bandage for whoever have met the problem (like me)?
In other words, should I wait for another lock free solution from Dmitry
Kasatkin?

By the way, the mail is not delivered to stable-ML while there is
Cc: stable... line in the commit log.


J. R. Okajima
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-13 Thread Mimi Zohar

On Tue, 2014-05-13 at 16:19 +0900, J. R. Okajima wrote: 
 Mimi Zohar:
  As a temporary fix, do not measure, appraise, or audit files
  opened with the O_DIRECT flag set.  Just audit log it.
 
 I have no objection about the patch, but have a question.
 Are you intending to put it into mainline now (and stable too)? Or is
 this a local bandage for whoever have met the problem (like me)?

Yes, for the time being.

 In other words, should I wait for another lock free solution from Dmitry
 Kasatkin?

In addition to the lockdep issue, there is a separate problem of reading
the file opened w/O_DIRECT flag.  Dmitry is about to post two patches,
with a detailed explanation.  The first patch re-introduces the
iint-mutex.  The other patch reads the file opened w/O_DIRECT flag.
Neither patch is trivial.

 By the way, the mail is not delivered to stable-ML while there is
 Cc: stable... line in the commit log.

The CC shouldn't have been included in an RFC.

Mimi

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-12 Thread Mimi Zohar

Reposting unmangled version ...

As a temporary fix, do not measure, appraise, or audit files
opened with the O_DIRECT flag set.  Just audit log it.

Signed-off-by: Mimi Zohar 
Cc: 
---
 security/integrity/ima/ima_api.c  | 10 +-
 security/integrity/ima/ima_main.c |  5 -
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d7..d719978 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
struct evm_ima_xattr_data **xattr_value,
int *xattr_len)
 {
+   const char *audit_cause = "failed";
struct inode *inode = file_inode(file);
const char *filename = file->f_dentry->d_name.name;
int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
if (!(iint->flags & IMA_COLLECTED)) {
u64 i_version = file_inode(file)->i_version;
 
+   if (file->f_flags & O_DIRECT) {
+   audit_cause = "failed(directio)";
+   result = -EACCES;
+   goto out;
+   }
+   
/* use default hash algorithm */
hash.hdr.algo = ima_hash_algo;
 
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
result = -ENOMEM;
}
}
+out:
if (result)
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
-   filename, "collect_data", "failed",
+   filename, "collect_data", audit_cause,
result, 0);
return result;
 }
diff --git a/security/integrity/ima/ima_main.c 
b/security/integrity/ima/ima_main.c
index 654111f..3e5b732 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const 
char *filename,
xattr_ptr = _value;
 
rc = ima_collect_measurement(iint, file, xattr_ptr, _len);
-   if (rc != 0)
+   if (rc != 0) { 
+   if (file->f_flags & O_DIRECT)
+   rc = 0;
goto out_digsig;
+   }
 
pathname = filename ?: ima_d_path(>f_path, );
 
-- 
1.8.1.4



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-12 Thread Mimi Zohar

As a temporary fix, do not measure, appraise, or audit files
opened with the O_DIRECT flag set.  Just audit log it.

Signed-off-by: Mimi Zohar 
---
security/integrity/ima/ima_api.c  | 10 +-
security/integrity/ima/ima_main.c |  5 -
2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c
b/security/integrity/ima/ima_api.c
index ba9e4d7..d719978 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
struct evm_ima_xattr_data **xattr_value,
int *xattr_len)
{
+ const char *audit_cause = "failed";
struct inode *inode = file_inode(file);
const char *filename = file->f_dentry->d_name.name;
int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
if (!(iint->flags & IMA_COLLECTED)) {
u64 i_version = file_inode(file)->i_version;

+ if (file->f_flags & O_DIRECT) {
+ audit_cause = "failed(directio)";
+ result = -EACCES;
+ goto out;
+ }
+ 
/* use default hash algorithm */
hash.hdr.algo = ima_hash_algo;

@@ -233,9 +240,10 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
result = -ENOMEM;
}
}
+out:
if (result)
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
- filename, "collect_data", "failed",
+ filename, "collect_data", audit_cause,
result, 0);
return result;
}
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 654111f..3e5b732 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file,
const char *filename,
xattr_ptr = _value;

rc = ima_collect_measurement(iint, file, xattr_ptr, _len);
- if (rc != 0)
+ if (rc != 0) { 
+ if (file->f_flags & O_DIRECT)
+ rc = 0;
goto out_digsig;
+ }

pathname = filename ?: ima_d_path(>f_path, );

-- 
1.8.1.4



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-12 Thread Mimi Zohar

As a temporary fix, do not measure, appraise, or audit files
opened with the O_DIRECT flag set.  Just audit log it.

Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
---
security/integrity/ima/ima_api.c  | 10 +-
security/integrity/ima/ima_main.c |  5 -
2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c
b/security/integrity/ima/ima_api.c
index ba9e4d7..d719978 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
struct evm_ima_xattr_data **xattr_value,
int *xattr_len)
{
+ const char *audit_cause = failed;
struct inode *inode = file_inode(file);
const char *filename = file-f_dentry-d_name.name;
int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
if (!(iint-flags  IMA_COLLECTED)) {
u64 i_version = file_inode(file)-i_version;

+ if (file-f_flags  O_DIRECT) {
+ audit_cause = failed(directio);
+ result = -EACCES;
+ goto out;
+ }
+ 
/* use default hash algorithm */
hash.hdr.algo = ima_hash_algo;

@@ -233,9 +240,10 @@ int ima_collect_measurement(struct
integrity_iint_cache *iint,
result = -ENOMEM;
}
}
+out:
if (result)
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
- filename, collect_data, failed,
+ filename, collect_data, audit_cause,
result, 0);
return result;
}
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 654111f..3e5b732 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file,
const char *filename,
xattr_ptr = xattr_value;

rc = ima_collect_measurement(iint, file, xattr_ptr, xattr_len);
- if (rc != 0)
+ if (rc != 0) { 
+ if (file-f_flags  O_DIRECT)
+ rc = 0;
goto out_digsig;
+ }

pathname = filename ?: ima_d_path(file-f_path, pathbuf);

-- 
1.8.1.4



--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

2014-05-12 Thread Mimi Zohar

Reposting unmangled version ...

As a temporary fix, do not measure, appraise, or audit files
opened with the O_DIRECT flag set.  Just audit log it.

Signed-off-by: Mimi Zohar zo...@linux.vnet.ibm.com
Cc: sta...@vger.kernel.org
---
 security/integrity/ima/ima_api.c  | 10 +-
 security/integrity/ima/ima_main.c |  5 -
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d7..d719978 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
struct evm_ima_xattr_data **xattr_value,
int *xattr_len)
 {
+   const char *audit_cause = failed;
struct inode *inode = file_inode(file);
const char *filename = file-f_dentry-d_name.name;
int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
if (!(iint-flags  IMA_COLLECTED)) {
u64 i_version = file_inode(file)-i_version;
 
+   if (file-f_flags  O_DIRECT) {
+   audit_cause = failed(directio);
+   result = -EACCES;
+   goto out;
+   }
+   
/* use default hash algorithm */
hash.hdr.algo = ima_hash_algo;
 
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache 
*iint,
result = -ENOMEM;
}
}
+out:
if (result)
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
-   filename, collect_data, failed,
+   filename, collect_data, audit_cause,
result, 0);
return result;
 }
diff --git a/security/integrity/ima/ima_main.c 
b/security/integrity/ima/ima_main.c
index 654111f..3e5b732 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const 
char *filename,
xattr_ptr = xattr_value;
 
rc = ima_collect_measurement(iint, file, xattr_ptr, xattr_len);
-   if (rc != 0)
+   if (rc != 0) { 
+   if (file-f_flags  O_DIRECT)
+   rc = 0;
goto out_digsig;
+   }
 
pathname = filename ?: ima_d_path(file-f_path, pathbuf);
 
-- 
1.8.1.4



--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

[RFC PATCH] ima: audit log files opened with O_DIRECT flag

[RFC PATCH] ima: audit log files opened with O_DIRECT flag

Re: [RFC PATCH] ima: audit log files opened with O_DIRECT flag

8 matches

Site Navigation

Mail list logo

Footer information