Re: [PATCH 3/4] integrity: IMA as an integrity service provider
From: Mimi Zohar
Date: Thu Nov 20 2008 - 20:40:24 EST
On Thu, 2008-11-20 at 13:22 -0800, Dave Hansen wrote:
> On Thu, 2008-11-20 at 11:43 -0500, Mimi Zohar wrote:
> >
> > + /* Invalidate PCR, if a measured file is already open for read
> > */
> > + if ((mask == MAY_WRITE) || (mask == MAY_APPEND)) {
> > + int mask_sav = data->mask;
> > + int rc;
> > +
> > + data->mask = MAY_READ;
> > + rc = ima_must_measure(&idata);
> > + if (!rc) {
> > + if (atomic_read(&(data->dentry->d_count)) - 1 >
> > + atomic_read(&(inode->i_writecount)))
> > + ima_add_violation(inode, data->filename,
> > + "invalid_pcr", "ToMToU");
> > + }
> > + data->mask = mask_sav;
> > + goto out;
> > + }
>
> Following up on Christoph's comment...
>
> I'm worried that this calculation isn't very precise. The calculation
> that you're trying to come up with here is the number of opens (d_count)
> vs. the number of writers (i_writecount). When they don't match, you
> know that the new open is the first write, and you must 'invalidate the
> PCR'?
>
> There are a number of things that elevate d_count, and it is a lot more
> than just an open() that can do it. Is that OK?
>
> -- Dave
>From an integrity perspective, a file measurement might be invalidated
unnecessarily, but it is safe. For any file when opened for write, while
having an existing reader, will cause the file measurement to be
invalidated. Can you give examples of things, other than open(), that
elevate d_count?
Is there a different, better way to determine if there are any readers?
Thanks!
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/