| Message ID | 20250228205505.476845-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: minimize open-writers and ToMToU violations | expand |
On Fri, 2025-02-28 at 15:55 -0500, Mimi Zohar wrote: > Each time a file in policy, that is already opened for write, is opened > for read, an open-writers integrity violation audit message is emitted > and a violation record is added to the IMA measurement list. > > Similarly each time a file in policy, that is already opened for read, > is opened for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity > violation audit message is emitted and a violation record is added to > the IMA measurement list. > > As there is no benefit in having multiple open-writers or ToMToU > violations for the same file open in the audit log and IMA measurement > list, minimize them. > > Minimizing open-writer violations results in a single open-writers > violation being emitted until all writers are closed no matter the > number of subsequent file open readers (or writers). > > Minimizing ToMToU violations results in a single ToMToU violation being > emitted for all subsequent file open writers, until another in policy > file open reader. > > Since the IMA_MUST_MEASURE atomic flag is only used for tracking ToMToU > violations, rename the atomic flag to IMA_MAY_EMIT_TOMTOU. > > Define a new atomic flag named IMA_EMITTED_OPENWRITERS to minimize > open-writer violations. Thanks Mimi. For the whole series: Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Roberto > Mimi Zohar (2): > ima: limit the number of open-writers integrity violations > ima: limit the number of ToMToU integrity violations > > security/integrity/ima/ima.h | 3 ++- > security/integrity/ima/ima_main.c | 18 +++++++++++++----- > 2 files changed, 15 insertions(+), 6 deletions(-) > > -- > 2.48.1 >