@@ -221,6 +221,12 @@ static int process_measurement(struct file *file, const struct cred *cred,
/* access will be denied */
if (model_violation)
action &= ~IMA_APPRAISE;
+
+ /* do not measure mutable files, if they are appraised */
+ if (ima_appraise & (IMA_APPRAISE_ENFORCE | IMA_APPRAISE_LOG) &&
+ iint && (iint->flags & IMA_APPRAISED) &&
+ !(iint->flags & IMA_DIGSIG))
+ action &= ~IMA_MEASURE;
}
if (violation_check)
@@ -265,9 +271,17 @@ static int process_measurement(struct file *file, const struct cred *cred,
if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
pathname = ima_d_path(&file->f_path, &pathbuf, filename);
- if (rc == 0 && (action & IMA_APPRAISE_SUBMASK))
+ if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
rc = ima_appraise_measurement(func, iint, file, pathname,
xattr_value, xattr_len, opened);
+ /* do not measure mutable files, if rc == INTEGRITY_PASS */
+ if (!rc && ima_integrity_model &&
+ ima_appraise & (IMA_APPRAISE_ENFORCE | IMA_APPRAISE_LOG) &&
+ !(iint->flags & IMA_DIGSIG)) {
+ iint->flags &= ~IMA_MEASURE;
+ action &= ~IMA_MEASURE;
+ }
+ }
if (action & IMA_MEASURE)
ima_store_measurement(iint, file, pathname,
xattr_value, xattr_len, pcr);
If an integrity model is selected, access to mutable files is restricted to TCB processes or mutable files are demoted. Then, files with a valid appraisal status can be excluded from measurement because they won't compromise the TCB. Remote verifiers would only require that the file didn't contain malformed data at first access (which can be guaranteed for example with a digital signature). Changelog v1 - don't clear IMA_MEASURE for files with digital signature - clear IMA_MEASURE for any integrity model - don't measure mutable files also if ima_appraise == IMA_APPRAISE_LOG Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/ima/ima_main.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)