[PATCH v5 1/7] fs: introduce kernel_pread_file* support
Mimi Zohar
zohar at kernel.org
Wed May 13 18:39:13 UTC 2020
[Cc'ing linux-security-module, linux-integrity]
On Thu, 2020-05-07 at 17:27 -0700, Scott Branden wrote:
> Add kernel_pread_file* support to kernel to allow for partial read
> of files with an offset into the file. Existing kernel_read_file
> functions call new kernel_pread_file functions with offset=0 and
> flags=KERNEL_PREAD_FLAG_WHOLE.
>
> Signed-off-by: Scott Branden <scott.branden at broadcom.com>
> ---
<snip>
> @@ -941,14 +955,16 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
>
> if (bytes == 0)
> break;
> +
> + buf_pos += bytes;
> }
>
> - if (pos != i_size) {
> + if (pos != read_end) {
> ret = -EIO;
> goto out_free;
> }
>
> - ret = security_kernel_post_read_file(file, *buf, i_size, id);
> + ret = security_kernel_post_read_file(file, *buf, alloc_size, id);
> if (!ret)
> *size = pos;
Prior to the patch set that introduced this security hook, firmware
would be read twice, once for measuring/appraising the firmware and
again reading the file contents into memory. Partial reads will break
both IMA's measuring the file and appraising the file signatures.
Mimi
More information about the Linux-security-module-archive
mailing list