1. 08 10月, 2014 1 次提交
    • D
      ima: check ima_policy_flag in the ima_file_free() hook · 0f34a006
      Dmitry Kasatkin 提交于
      This patch completes the switching to the 'ima_policy_flag' variable
      in the checks at the beginning of IMA functions, starting with the
      commit a756024e.
      
      Checking 'iint_initialized' is completely unnecessary, because
      S_IMA flag is unset if iint was not allocated. At the same time
      the integrity cache is allocated with SLAB_PANIC and the kernel will
      panic if the allocation fails during kernel initialization. So on
      a running system iint_initialized is always true and can be removed.
      
      Changes in v3:
      * not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)
      
      Changes in v2:
      * 'iint_initialized' removal patch merged to this patch (requested
         by Mimi)
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Acked-by: NRoberto Sassu <roberto.sassu@polito.it>
      0f34a006
  2. 18 9月, 2014 6 次提交
    • R
      ima: detect violations for mmaped files · 1b68bdf9
      Roberto Sassu 提交于
      This patch fixes the detection of the 'open_writers' violation for mmaped
      files.
      
      before) an 'open_writers' violation is detected if the policy contains
              a rule with the criteria: func=FILE_CHECK mask=MAY_READ
      
      after) an 'open_writers' violation is detected if the current event
             matches one of the policy rules.
      
      With the old behaviour, the 'open_writers' violation is not detected
      in the following case:
      
      policy:
      measure func=FILE_MMAP mask=MAY_EXEC
      
      steps:
      1) open a shared library for writing
      2) execute a binary that links that shared library
      3) during the binary execution, modify the shared library and save
         the change
      
      result:
      the 'open_writers' violation measurement is not present in the IMA list.
      
      Only binaries executed are protected from writes. For libraries mapped
      in memory there is the flag MAP_DENYWRITE for this purpose, but according
      to the output of 'man mmap', the mmap flag is ignored.
      
      Since ima_rdwr_violation_check() is now called by process_measurement()
      the information about if the inode must be measured is already provided
      by ima_get_action(). Thus the unnecessary function ima_must_measure()
      has been removed.
      
      Changes in v3 (Dmitry Kasatkin):
      - Violation for MMAP_CHECK function are verified since this patch
      - Changed patch description a bit
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      1b68bdf9
    • R
      ima: fix race condition on ima_rdwr_violation_check and process_measurement · f7a859ff
      Roberto Sassu 提交于
      This patch fixes a race condition between two functions that try to access
      the same inode. Since the i_mutex lock is held and released separately
      in the two functions, there may be the possibility that a violation is
      not correctly detected.
      
      Suppose there are two processes, A (reader) and B (writer), if the
      following sequence happens:
      
      A: ima_rdwr_violation_check()
      B: ima_rdwr_violation_check()
      B: process_measurement()
      B: starts writing the inode
      A: process_measurement()
      
      the ToMToU violation (a reader may be accessing a content different from
      that measured, due to a concurrent modification by a writer) will not be
      detected. To avoid this issue, the violation check and the measurement
      must be done atomically.
      
      This patch fixes the problem by moving the violation check inside
      process_measurement() when the i_mutex lock is held. Differently from
      the old code, the violation check is executed also for the MMAP_CHECK
      hook (other than for FILE_CHECK). This allows to detect ToMToU violations
      that are possible because shared libraries can be opened for writing
      while they are in use (according to the output of 'man mmap', the mmap()
      flag MAP_DENYWRITE is ignored).
      
      Changes in v5 (Roberto Sassu):
      * get iint if action is not zero
      * exit process_measurement() after the violation check if action is zero
      * reverse order process_measurement() exit cleanup (Mimi)
      
      Changes in v4 (Dmitry Kasatkin):
      * iint allocation is done before calling ima_rdrw_violation_check()
        (Suggested-by Mimi)
      * do not check for violations if the policy does not contain 'measure'
        rules (done by Roberto Sassu)
      
      Changes in v3 (Dmitry Kasatkin):
      * no violation checking for MMAP_CHECK function in this patch
      * remove use of filename from violation
      * removes checking if ima is enabled from ima_rdrw_violation_check
      * slight style change
      Suggested-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      f7a859ff
    • R
      ima: added ima_policy_flag variable · a756024e
      Roberto Sassu 提交于
      This patch introduces the new variable 'ima_policy_flag', whose bits
      are set depending on the action of the current policy rules. Only the
      flags IMA_MEASURE, IMA_APPRAISE and IMA_AUDIT are set.
      
      The new variable will be used to improve performance by skipping the
      unnecessary execution of IMA code if the policy does not contain rules
      with the above actions.
      
      Changes in v6 (Roberto Sassu)
      * do not check 'ima_initialized' before calling ima_update_policy_flag()
        in ima_update_policy() (suggested by Dmitry)
      * calling ima_update_policy_flag() moved to init_ima to co-locate with
        ima_initialized (Dmitry)
      * add/revise comments (Mimi)
      
      Changes in v5 (Roberto Sassu)
      * reset IMA_APPRAISE flag in 'ima_policy_flag' if 'ima_appraise' is set
        to zero (reported by Dmitry)
      * update 'ima_policy_flag' only if IMA initialization is successful
        (suggested by Mimi and Dmitry)
      * check 'ima_policy_flag' instead of 'ima_initialized'
        (suggested by Mimi and Dmitry)
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      a756024e
    • R
      ima: return an error code from ima_add_boot_aggregate() · be39ffc2
      Roberto Sassu 提交于
      This patch modifies ima_add_boot_aggregate() to return an error code.
      This way we can determine if all the initialization procedures have
      been executed successfully.
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      be39ffc2
    • D
      ima: provide 'ima_appraise=log' kernel option · 2faa6ef3
      Dmitry Kasatkin 提交于
      The kernel boot parameter "ima_appraise" currently defines 'off',
      'enforce' and 'fix' modes.  When designing a policy and labeling
      the system, access to files are either blocked in the default
      'enforce' mode or automatically fixed in the 'fix' mode.  It is
      beneficial to be able to run the system in a logging only mode,
      without fixing it, in order to properly analyze the system. This
      patch adds a 'log' mode to run the system in a permissive mode and
      log the appraisal results.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      2faa6ef3
    • D
      ima: move keyring initialization to ima_init() · 31b70f66
      Dmitry Kasatkin 提交于
      ima_init() is used as a single place for all initializations.
      Experimental keyring patches used the 'late_initcall' which was
      co-located with the late_initcall(init_ima). When the late_initcall
      for the keyring initialization was abandoned, initialization moved
      to init_ima, though it would be more logical to move it to ima_init,
      where the rest of the initialization is done. This patch moves the
      keyring initialization to ima_init() as a preparatory step for
      loading the keys which will be added to ima_init() in following
      patches.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      31b70f66
  3. 09 9月, 2014 10 次提交
  4. 03 9月, 2014 3 次提交
  5. 26 7月, 2014 1 次提交
  6. 17 7月, 2014 7 次提交
    • M
      ima: define '.ima' as a builtin 'trusted' keyring · 7d2ce232
      Mimi Zohar 提交于
      Require all keys added to the IMA keyring be signed by an
      existing trusted key on the system trusted keyring.
      
      Changelog v6:
      - remove ifdef CONFIG_IMA_TRUSTED_KEYRING in C code - Dmitry
      - update Kconfig dependency and help
      - select KEYS_DEBUG_PROC_KEYS - Dmitry
      
      Changelog v5:
      - Move integrity_init_keyring() to init_ima() - Dmitry
      - reset keyring[id] on failure - Dmitry
      
      Changelog v1:
      - don't link IMA trusted keyring to user keyring
      
      Changelog:
      - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
      - differentiate between regular and trusted keyring names.
      - replace printk with pr_info (D. Kasatkin)
      - only make the IMA keyring a trusted keyring (reported-by D. Kastatkin)
      - define stub integrity_init_keyring() definition based on
        CONFIG_INTEGRITY_SIGNATURE, not CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
        (reported-by Jim Davis)
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Acked-by: NDavid Howells <dhowells@redhat.com>
      7d2ce232
    • D
      ima: provide double buffering for hash calculation · 32c2e675
      Dmitry Kasatkin 提交于
      The asynchronous hash API allows initiating a hash calculation and
      then performing other tasks, while waiting for the hash calculation
      to complete.
      
      This patch introduces usage of double buffering for simultaneous
      hashing and reading of the next chunk of data from storage.
      
      Changes in v3:
      - better comments
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      32c2e675
    • D
      ima: introduce multi-page collect buffers · 6edf7a89
      Dmitry Kasatkin 提交于
      Use of multiple-page collect buffers reduces:
      1) the number of block IO requests
      2) the number of asynchronous hash update requests
      
      Second is important for HW accelerated hashing, because significant
      amount of time is spent for preparation of hash update operation,
      which includes configuring acceleration HW, DMA engine, etc...
      Thus, HW accelerators are more efficient when working on large
      chunks of data.
      
      This patch introduces usage of multi-page collect buffers. Buffer size
      can be specified using 'ahash_bufsize' module parameter. Default buffer
      size is 4096 bytes.
      
      Changes in v3:
      - kernel parameter replaced with module parameter
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      6edf7a89
    • D
      ima: use ahash API for file hash calculation · 3bcced39
      Dmitry Kasatkin 提交于
      Async hash API allows the use of HW acceleration for hash calculation.
      It may give significant performance gain and/or reduce power consumption,
      which might be very beneficial for battery powered devices.
      
      This patch introduces hash calculation using ahash API. ahash performance
      depends on the data size and the particular HW. Depending on the specific
      system, shash performance may be better.
      
      This patch defines 'ahash_minsize' module parameter, which is used to
      define the minimal file size to use with ahash.  If this minimum file size
      is not set or the file is smaller than defined by the parameter, shash will
      be used.
      
      Changes in v3:
      - kernel parameter replaced with module parameter
      - pr_crit replaced with pr_crit_ratelimited
      - more comment changes - Mimi
      
      Changes in v2:
      - ima_ahash_size became as ima_ahash
      - ahash pre-allocation moved out from __init code to be able to use
        ahash crypto modules. Ahash allocated once on the first use.
      - hash calculation falls back to shash if ahash allocation/calculation fails
      - complex initialization separated from variable declaration
      - improved comments
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      3bcced39
    • R
      audit: fix dangling keywords in integrity ima message output · 7e9001f6
      Richard Guy Briggs 提交于
      Replace spaces in op keyword labels in log output since userspace audit tools
      can't parse orphaned keywords.
      Reported-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      7e9001f6
    • D
      ima: delay template descriptor lookup until use · 209b43ca
      Dmitry Kasatkin 提交于
      process_measurement() always calls ima_template_desc_current(),
      including when an IMA policy has not been defined.
      
      This patch delays template descriptor lookup until action is
      determined.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      209b43ca
    • D
      ima: remove unnecessary i_mutex locking from ima_rdwr_violation_check() · 2c50b964
      Dmitry Kasatkin 提交于
      Before 2.6.39 inode->i_readcount was maintained by IMA. It was not atomic
      and protected using spinlock. For 2.6.39, i_readcount was converted to
      atomic and maintaining was moved VFS layer. Spinlock for some unclear
      reason was replaced by i_mutex.
      
      After analyzing the code, we came to conclusion that i_mutex locking is
      unnecessary, especially when an IMA policy has not been defined.
      
      This patch removes i_mutex locking from ima_rdwr_violation_check().
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      2c50b964
  7. 13 6月, 2014 4 次提交
    • D
      ima: introduce ima_kernel_read() · 0430e49b
      Dmitry Kasatkin 提交于
      Commit 8aac6270 "move exit_task_namespaces() outside of exit_notify"
      introduced the kernel opps since the kernel v3.10, which happens when
      Apparmor and IMA-appraisal are enabled at the same time.
      
      ----------------------------------------------------------------------
      [  106.750167] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000018
      [  106.750221] IP: [<ffffffff811ec7da>] our_mnt+0x1a/0x30
      [  106.750241] PGD 0
      [  106.750254] Oops: 0000 [#1] SMP
      [  106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm
      bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc
      fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp
      kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul
      ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel
      snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi
      snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw
      snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp
      parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci
      pps_core
      [  106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15
      [  106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08
      09/19/2012
      [  106.750689] task: ffff8800de804920 ti: ffff880400fca000 task.ti:
      ffff880400fca000
      [  106.750704] RIP: 0010:[<ffffffff811ec7da>]  [<ffffffff811ec7da>]
      our_mnt+0x1a/0x30
      [  106.750725] RSP: 0018:ffff880400fcba60  EFLAGS: 00010286
      [  106.750738] RAX: 0000000000000000 RBX: 0000000000000100 RCX:
      ffff8800d51523e7
      [  106.750764] RDX: ffffffffffffffea RSI: ffff880400fcba34 RDI:
      ffff880402d20020
      [  106.750791] RBP: ffff880400fcbae0 R08: 0000000000000000 R09:
      0000000000000001
      [  106.750817] R10: 0000000000000000 R11: 0000000000000001 R12:
      ffff8800d5152300
      [  106.750844] R13: ffff8803eb8df510 R14: ffff880400fcbb28 R15:
      ffff8800d51523e7
      [  106.750871] FS:  0000000000000000(0000) GS:ffff88040d200000(0000)
      knlGS:0000000000000000
      [  106.750910] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  106.750935] CR2: 0000000000000018 CR3: 0000000001c0e000 CR4:
      00000000001407e0
      [  106.750962] Stack:
      [  106.750981]  ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18
      0000000000000000
      [  106.751037]  ffff8800de804920 ffffffff8101b9b9 0001800000000000
      0000000000000100
      [  106.751093]  0000010000000000 0000000000000002 000000000000000e
      ffff8803eb8df500
      [  106.751149] Call Trace:
      [  106.751172]  [<ffffffff813434eb>] ? aa_path_name+0x2ab/0x430
      [  106.751199]  [<ffffffff8101b9b9>] ? sched_clock+0x9/0x10
      [  106.751225]  [<ffffffff8134a68d>] aa_path_perm+0x7d/0x170
      [  106.751250]  [<ffffffff8101b945>] ? native_sched_clock+0x15/0x80
      [  106.751276]  [<ffffffff8134aa73>] aa_file_perm+0x33/0x40
      [  106.751301]  [<ffffffff81348c5e>] common_file_perm+0x8e/0xb0
      [  106.751327]  [<ffffffff81348d78>] apparmor_file_permission+0x18/0x20
      [  106.751355]  [<ffffffff8130c853>] security_file_permission+0x23/0xa0
      [  106.751382]  [<ffffffff811c77a2>] rw_verify_area+0x52/0xe0
      [  106.751407]  [<ffffffff811c789d>] vfs_read+0x6d/0x170
      [  106.751432]  [<ffffffff811cda31>] kernel_read+0x41/0x60
      [  106.751457]  [<ffffffff8134fd45>] ima_calc_file_hash+0x225/0x280
      [  106.751483]  [<ffffffff8134fb52>] ? ima_calc_file_hash+0x32/0x280
      [  106.751509]  [<ffffffff8135022d>] ima_collect_measurement+0x9d/0x160
      [  106.751536]  [<ffffffff810b552d>] ? trace_hardirqs_on+0xd/0x10
      [  106.751562]  [<ffffffff8134f07c>] ? ima_file_free+0x6c/0xd0
      [  106.751587]  [<ffffffff81352824>] ima_update_xattr+0x34/0x60
      [  106.751612]  [<ffffffff8134f0d0>] ima_file_free+0xc0/0xd0
      [  106.751637]  [<ffffffff811c9635>] __fput+0xd5/0x300
      [  106.751662]  [<ffffffff811c98ae>] ____fput+0xe/0x10
      [  106.751687]  [<ffffffff81086774>] task_work_run+0xc4/0xe0
      [  106.751712]  [<ffffffff81066fad>] do_exit+0x2bd/0xa90
      [  106.751738]  [<ffffffff8173c958>] ? retint_swapgs+0x13/0x1b
      [  106.751763]  [<ffffffff8106780c>] do_group_exit+0x4c/0xc0
      [  106.751788]  [<ffffffff81067894>] SyS_exit_group+0x14/0x20
      [  106.751814]  [<ffffffff8174522d>] system_call_fastpath+0x1a/0x1f
      [  106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3
      0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89
      e5 5d <48> 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00
      [  106.752185] RIP  [<ffffffff811ec7da>] our_mnt+0x1a/0x30
      [  106.752214]  RSP <ffff880400fcba60>
      [  106.752236] CR2: 0000000000000018
      [  106.752258] ---[ end trace 3c520748b4732721 ]---
      ----------------------------------------------------------------------
      
      The reason for the oops is that IMA-appraisal uses "kernel_read()" when
      file is closed. kernel_read() honors LSM security hook which calls
      Apparmor handler, which uses current->nsproxy->mnt_ns. The 'guilty'
      commit changed the order of cleanup code so that nsproxy->mnt_ns was
      not already available for Apparmor.
      
      Discussion about the issue with Al Viro and Eric W. Biederman suggested
      that kernel_read() is too high-level for IMA. Another issue, except
      security checking, that was identified is mandatory locking. kernel_read
      honors it as well and it might prevent IMA from calculating necessary hash.
      It was suggested to use simplified version of the function without security
      and locking checks.
      
      This patch introduces special version ima_kernel_read(), which skips security
      and mandatory locking checking. It prevents the kernel oops to happen.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Suggested-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: <stable@vger.kernel.org>
      0430e49b
    • D
      ima: check inode integrity cache in violation check · 14503eb9
      Dmitry Kasatkin 提交于
      When IMA did not support ima-appraisal, existance of the S_IMA flag
      clearly indicated that the file was measured. With IMA appraisal S_IMA
      flag indicates that file was measured and/or appraised. Because of
      this, when measurement is not enabled by the policy, violations are
      still reported.
      
      To differentiate between measurement and appraisal policies this
      patch checks the inode integrity cache flags.  The IMA_MEASURED
      flag indicates whether the file was actually measured, while the
      IMA_MEASURE flag indicates whether the file should be measured.
      Unfortunately, the IMA_MEASURED flag is reset to indicate the file
      needs to be re-measured.  Thus, this patch checks the IMA_MEASURE
      flag.
      
      This patch limits the false positive violation reports, but does
      not fix it entirely.  The IMA_MEASURE/IMA_MEASURED flags are
      indications that, at some point in time, the file opened for read
      was in policy, but might not be in policy now (eg. different uid).
      Other changes would be needed to further limit false positive
      violation reports.
      
      Changelog:
      - expanded patch description based on conversation with Roberto (Mimi)
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      14503eb9
    • D
      ima: prevent unnecessary policy checking · b882fae2
      Dmitry Kasatkin 提交于
      ima_rdwr_violation_check is called for every file openning.
      The function checks the policy even when violation condition
      is not met. It causes unnecessary policy checking.
      
      This patch does policy checking only if violation condition is met.
      
      Changelog:
      - check writecount is greater than zero (Mimi)
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      b882fae2
    • M
      ima: prevent new digsig xattr from being replaced · 060bdebf
      Mimi Zohar 提交于
      Even though a new xattr will only be appraised on the next access,
      set the DIGSIG flag to prevent a signature from being replaced with
      a hash on file close.
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      060bdebf
  8. 04 6月, 2014 1 次提交
    • M
      ima: audit log files opened with O_DIRECT flag · f9b2a735
      Mimi Zohar 提交于
      Files are measured or appraised based on the IMA policy.  When a
      file, in policy, is opened with the O_DIRECT flag, a deadlock
      occurs.
      
      The first attempt at resolving this lockdep temporarily removed the
      O_DIRECT flag and restored it, after calculating the hash.  The
      second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this
      flag, do_blockdev_direct_IO() would skip taking the i_mutex a second
      time.  The third attempt, by Dmitry Kasatkin, resolves the i_mutex
      locking issue, by re-introducing the IMA mutex, but uncovered
      another problem.  Reading a file with O_DIRECT flag set, writes
      directly to userspace pages.  A second patch allocates a user-space
      like memory.  This works for all IMA hooks, except ima_file_free(),
      which is called on __fput() to recalculate the file hash.
      
      Until this last issue is addressed, do not 'collect' the
      measurement for measuring, appraising, or auditing files opened
      with the O_DIRECT flag set.  Based on policy, permit or deny file
      access.  This patch defines a new IMA policy rule option named
      'permit_directio'.  Policy rules could be defined, based on LSM
      or other criteria, to permit specific applications to open files
      with the O_DIRECT flag set.
      
      Changelog v1:
      - permit or deny file access based IMA policy rules
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Cc: <stable@vger.kernel.org>
      f9b2a735
  9. 08 3月, 2014 7 次提交