Re: [PATCH 3/6] integrity: IMA as an integrity service provider

[Al Viro]

On Tue, Dec 02, 2008 at 03:35:25PM -0800, Dave Hansen wrote:

> 
> > +		int rc;
> > +
> > +		mdata.mask = MAY_READ;
> > +		rc = ima_must_measure(&mdata);
> > +		if (!rc || rc == -EEXIST) {
> > +			if (atomic_read(&(path->dentry->d_count)) - 1 >
> > +			    atomic_read(&(mdata.inode->i_writecount)))
> > +				ima_add_violation(mdata.inode,
> > +						  path->dentry->d_name.name,
> > +						  "invalid_pcr", "ToMToU");
> > +		}
> > +		return 0;
> > +	}
> 
> 
> I have memories of talking about this bit.  I was confused and you
> explained it to me, but it still isn't explained in the code. :(  Again,
> I'm not convinced that this works.  Can the code convince me, or should
> I go digging in my inbox?

This bit is crap, plain and simple.  d_count doesn't work as a proxy for
"how many times had we opened this file".  At all.

a) stat(2) and just about anything else that looks funny at the pathname
will bump d_count.

b) there may be several links to given file; all will share inode and have
different dentries.

In other words, result of that comparison happens to be junk.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/