ima: fix filename hint to reflect script interpreter name

When IMA was first upstreamed, the bprm filename and interp were always the same. Currently, the bprm->filename and bprm->interp are the same, except for when only bprm->interp contains the interpreter name. So instead of using the bprm->filename as the IMA filename hint in the measurement list, we could replace it with bprm->interp, but this feels too fragil. The following patch is not much better, but at least there is some indication that sometimes we're passing the filename and other times the interpreter name. Reported-by: N Andrew Lunn <andrew@lunn.ch> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: N James Morris <james.l.morris@oracle.com>

ima: fix filename hint to reflect script interpreter name
When IMA was first upstreamed, the bprm filename and interp were always the same. Currently, the bprm->filename and bprm->interp are the same, except for when only bprm->interp contains the interpreter name. So instead of using the bprm->filename as the IMA filename hint in the measurement list, we could replace it with bprm->interp, but this feels too fragil. The following patch is not much better, but at least there is some indication that sometimes we're passing the filename and other times the interpreter name. Reported-by: N Andrew Lunn <andrew@lunn.ch> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: N James Morris <james.l.morris@oracle.com>
fbbb4563 · Mimi Zohar · James Morris · 12fa8a27 · fbbb4563
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

security/integrity/ima/ima_main.c security/integrity/ima/ima_main.c +3 -1

未找到文件。
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -194,7 +194,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
 {
 	int rc;

-	rc = process_measurement(bprm->file, bprm->filename,
+	rc = process_measurement(bprm->file,
+				 (strcmp(bprm->filename, bprm->interp) == 0) ?
+				 bprm->filename : bprm->interp,
 				 MAY_EXEC, BPRM_CHECK);
 	return 0;
 }