[PATCH v2 10/10] ima: use existing read file operation method to calculate file hash

Mimi Zohar zohar at linux.vnet.ibm.com
Wed Jun 21 18:18:30 UTC 2017

The builtin "ima_tcb" policy measures all files read by root.  This
policy includes, for example, files on efivars.  Since some files on
these filesystems were previously measured (eg. OsIndicationsSupported),
not measuring them would change the PCR hash value(s), potentially
breaking userspace.

The few filesystems that currently define the ->read file operation
method, either call seq_read() or have a filesystem specific ->read
method.  None of them, at least in the fs directory, take the i_rwsem.

For filesystems that do not define the ->integrity_read file operation
method and have a ->read method, this patch calls the ->read method
to calculate the file hash.

Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
 security/integrity/iint.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index df04f35a1d40..75c3cef5fd01 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -189,20 +189,29 @@ int integrity_kernel_read(struct file *file, loff_t offset,
 	struct kvec iov = { .iov_base = addr, .iov_len = count };
 	struct kiocb kiocb;
 	struct iov_iter iter;
-	ssize_t ret;
+	ssize_t ret = -EBADF;
 	if (!(file->f_mode & FMODE_READ))
 		return -EBADF;
-	if (!file->f_op->integrity_read)
-		return -EBADF;
 	init_sync_kiocb(&kiocb, file);
 	kiocb.ki_pos = offset;
 	iov_iter_kvec(&iter, READ | ITER_KVEC, &iov, 1, count);
-	ret = file->f_op->integrity_read(&kiocb, &iter);
+	if (file->f_op->integrity_read) {
+		ret = file->f_op->integrity_read(&kiocb, &iter);
+	} else if (file->f_op->read) {
+		mm_segment_t old_fs;
+		char __user *buf = (char __user *)addr;
+		old_fs = get_fs();
+		set_fs(get_ds());
+		ret = file->f_op->read(file, buf, count, &offset);
+		set_fs(old_fs);
+	}
 	return ret;

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list