Memory leak was found in TOMOYO 2.3 which is included in 2.6.36 and later.
In tomoyo_check_open_permission() which checks permissions upon file open,
TOMOYO was by error recalculating already calculated pathname when checking
allow_rewrite permission.
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
struct path *path, const int flag)
{
const u8 acc_mode = ACC_MODE(flag);
int error = -ENOMEM;
struct tomoyo_path_info buf;
struct tomoyo_request_info r;
int idx;
if (!path->mnt ||
(path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)))
return 0;
buf.name = NULL;
r.mode = TOMOYO_CONFIG_DISABLED;
idx = tomoyo_read_lock();
if (!tomoyo_get_realpath(&buf, path))
goto out;
error = 0;
/*
* If the filename is specified by "deny_rewrite" keyword,
* we need to check "allow_rewrite" permission when the filename is not
* opened for append mode or the filename is truncated at open time.
*/
if ((acc_mode & MAY_WRITE) && !(flag & O_APPEND)
&& tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_REWRITE)
!= TOMOYO_CONFIG_DISABLED) {
if (!tomoyo_get_realpath(&buf, path)) {
error = -ENOMEM;
goto out;
}
if (tomoyo_no_rewrite_file(&buf))
error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE,
&buf);
}
(...snipped...)
}
As a result, memory will leak whenever a file is opened for writing without
O_APPEND flag. Also, performance will degrade because TOMOYO is calculating
pathname regardless of profile configuration (i.e. calculates pathname even
for CONFIG={ mode=disabled } case.)
To fix the leak and degrade, please apply below patch and recompile and reboot.
---
security/tomoyo/file.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- linux-2.6.38-rc7.orig/security/tomoyo/file.c
+++ linux-2.6.38-rc7/security/tomoyo/file.c
@@ -927,7 +927,7 @@ int tomoyo_check_open_permission(struct
struct path *path, const int flag)
{
const u8 acc_mode = ACC_MODE(flag);
- int error = -ENOMEM;
+ int error = 0;
struct tomoyo_path_info buf;
struct tomoyo_request_info r;
int idx;
@@ -938,9 +938,6 @@ int tomoyo_check_open_permission(struct
buf.name = NULL;
r.mode = TOMOYO_CONFIG_DISABLED;
idx = tomoyo_read_lock();
- if (!tomoyo_get_realpath(&buf, path))
- goto out;
- error = 0;
/*
* If the filename is specified by "deny_rewrite" keyword,
* we need to check "allow_rewrite" permission when the filename is not
If you cannot reboot soon, you can append below entries to
/etc/tomoyo/profile.conf and /sys/kernel/security/tomoyo/profile
(i.e. disable allow_rewrite permission checking) in order to avoid the leak.
0-CONFIG::file::rewrite={ mode=disabled }
1-CONFIG::file::rewrite={ mode=disabled }
2-CONFIG::file::rewrite={ mode=disabled }
3-CONFIG::file::rewrite={ mode=disabled }
Regards.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
