mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-13 17:28:56 +00:00
ima: Don't modify file descriptor mode on the fly
Commit a408e4a86b36b ("ima: open a new file instance if no read permissions") already introduced a second open to measure a file when the original file descriptor does not allow it. However, it didn't remove the existing method of changing the mode of the original file descriptor, which is still necessary if the current process does not have enough privileges to open a new one. Changing the mode isn't really an option, as the filesystem might need to do preliminary steps to make the read possible. Thus, this patch removes the code and keeps the second open as the only option to measure a file when it is unreadable with the original file descriptor. Cc: <stable@vger.kernel.org> # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
dea87d0889
commit
207cdd565d
@ -537,7 +537,7 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
|
|||||||
loff_t i_size;
|
loff_t i_size;
|
||||||
int rc;
|
int rc;
|
||||||
struct file *f = file;
|
struct file *f = file;
|
||||||
bool new_file_instance = false, modified_mode = false;
|
bool new_file_instance = false;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For consistency, fail file's opened with the O_DIRECT flag on
|
* For consistency, fail file's opened with the O_DIRECT flag on
|
||||||
@ -555,18 +555,10 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
|
|||||||
O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL);
|
O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL);
|
||||||
flags |= O_RDONLY;
|
flags |= O_RDONLY;
|
||||||
f = dentry_open(&file->f_path, flags, file->f_cred);
|
f = dentry_open(&file->f_path, flags, file->f_cred);
|
||||||
if (IS_ERR(f)) {
|
if (IS_ERR(f))
|
||||||
/*
|
return PTR_ERR(f);
|
||||||
* Cannot open the file again, lets modify f_mode
|
|
||||||
* of original and continue
|
new_file_instance = true;
|
||||||
*/
|
|
||||||
pr_info_ratelimited("Unable to reopen file for reading.\n");
|
|
||||||
f = file;
|
|
||||||
f->f_mode |= FMODE_READ;
|
|
||||||
modified_mode = true;
|
|
||||||
} else {
|
|
||||||
new_file_instance = true;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
i_size = i_size_read(file_inode(f));
|
i_size = i_size_read(file_inode(f));
|
||||||
@ -581,8 +573,6 @@ int ima_calc_file_hash(struct file *file, struct ima_digest_data *hash)
|
|||||||
out:
|
out:
|
||||||
if (new_file_instance)
|
if (new_file_instance)
|
||||||
fput(f);
|
fput(f);
|
||||||
else if (modified_mode)
|
|
||||||
f->f_mode &= ~FMODE_READ;
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user