Bug 611633
| Summary: | integrity: incorrect refcounting problem. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Tetsuo Handa <penguin-kernel> | ||||
| Component: | kernel | Assignee: | Red Hat Kernel Manager <kernel-mgr> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Kernel QE team <kernel-qe> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 6.0 | CC: | aviro, jmoyer, penguin-kernel, rwheeler, zohar | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-02-01 13:04:00 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I forgot to call close(). Please use below test program instead.
----- Start of test program -----
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
int main(int argc, char *argv[])
{
/* Run this program as root. */
system("mount -t tmpfs none /tmp/");
system("touch /tmp/file");
close(open("/tmp/file", O_RDONLY | O_TRUNC));
system("umount /tmp/");
system("dmesg");
return 0;
}
----- End of test program -----
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. It has been denied for the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** I believe this was reported upstream (by Tetsuo?) and fixed by the following commit:
commit 6c1488fd581a447ec87c4b59f0d33f95f0aa441b
Author: Mimi Zohar <zohar.ibm.com>
Date: Wed Sep 2 11:40:32 2009 -0400
IMA: open new file for read
When creating a new file, ima_path_check() assumed the new file
was being opened for write. Call ima_path_check() with the
appropriate acc_mode so that the read/write counters are
incremented correctly.
Signed-off-by: Mimi Zohar <zohar.com>
Signed-off-by: James Morris <jmorris>
(In reply to comment #5) > I believe this was reported upstream (by Tetsuo?) and fixed by the following > commit: > > commit 6c1488fd581a447ec87c4b59f0d33f95f0aa441b > Author: Mimi Zohar <zohar.ibm.com> > Date: Wed Sep 2 11:40:32 2009 -0400 > > IMA: open new file for read > > When creating a new file, ima_path_check() assumed the new file > was being opened for write. Call ima_path_check() with the > appropriate acc_mode so that the read/write counters are > incremented correctly. > > Signed-off-by: Mimi Zohar <zohar.com> > Signed-off-by: James Morris <jmorris> This patch is already in 2.6.32 stable. The problem, as Tetsuo stated, is that the call to update the IMA counters is based on acc_mode, while on close it is based on fmode. The two aren't the same for files opened O_TRUNC. From do_filp_open(): /* O_TRUNC implies we need access checks for write permissions */ if (flag & O_TRUNC) acc_mode |= MAY_WRITE; As of 2.6.33, the calls to IMA in the VFS layer have moved, so this bug doesn't exist. Mimi Created attachment 433503 [details]
IMA patch
I'm running with the patch, but could there be some additional testing.
Thanks!
Mimi
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. Excuse me, but it seems to me that this bug was already fixed by 2.6.32-71.14.1.el6 . The changelog for 2.6.32-71.9.1.el6 includes a line: - [fs] Do not mix FMODE_ and O_ flags with break_lease() and may_open() (Harshula Jayasuriya) [648408 642677] which I think that this bug was also fixed. Mimi, can you run the test program in comment 2 on 2.6.32-71.9.1.el6 and before 2.6.32-71.9.1.el6 ? Thanks! I will close this BZ and we can reopen if Mimi's testing finds an issue. Would be nice to have access to RHEL. I compared 2.6.32-71.7.1.el6 and 2.6.32-71.14.1.el6 (which the source rpm are downloadable). I could not trigger this problem on both kernels. Thus, I also compared 2.6.32-37.el6 and 2.6.32-44.1.el6 (which the binary rpm are downloadable). I could trigger on 2.6.32-37.el6 but could not trigger on 2.6.32-44.1.el6 . There are many fs related changes in 2.6.32-38.el6 and two IMA related changes in 2.6.32-39.el6 . I don't know whether this problem was fixed between 2.6.32-37.el6 and 2.6.32-44.1.el6 or not. Sorry, I can't bisect any more... - [security] IMA: policy handling and general cleanups (Eric Paris) [584901] - [security] IMA: fix object lifetime to support non ext* FS (Eric Paris) [584901] Dear Tetsuo-san, Thanks for your testing - we will be getting other partners to test as well. We think that the fix was the one in https://bugzilla.redhat.com/show_bug.cgi?id=611633#c5 that Jeff mentioned. Regards, Ric RHEL6 2.6.32-71.el6 works properly. Looking at 2.6.32-71.14.1 source, it seems that Eric's patch "commit e0d5bd2aec4e69e - IMA: clean up the IMA counts updating code" was backported. Mimi |
Description of problem: open(O_RDONLY | O_TRUNC) causes integrity to iint->writecount++; because O_TRUNC implies MAY_WRITE. But close() causes integrity to iint->readcount--; because the file was open()ed for reading. As a result, below messages are printed. iint_free: readcount: -1 iint_free: writecount: 1 Not yet fixed as of 2.6.32-37.el6 kernel. Version-Release number of selected component (if applicable): 2.6.32-37.el6 How reproducible: Always. Steps to Reproduce: 1. Compile and run below program as root user. ----- Start of test program ----- #include <stdlib.h> #include <fcntl.h> #include <sys/types.h> int main(int argc, char *argv[]) { /* Run this program as root. */ system("mount -t tmpfs none /tmp/"); system("touch /tmp/file"); open("/tmp/file", O_RDONLY | O_TRUNC); system("umount /tmp/"); system("dmesg"); return 0; } ----- End of test program ----- Actual results: iint_free: readcount: -1 iint_free: writecount: 1 Expected results: iint_free lines are not printed. Additional info: