MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 15:03:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
0bbbd97a44
linux-yocto/security
History
Mimi Zohar 0214b96a6a ima: limit the number of ToMToU integrity violations 
[ Upstream commit a414016218 ]

Each time a file in policy, that is already opened for read, is opened
for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
audit message is emitted and a violation record is added to the IMA
measurement list.  This occurs even if a ToMToU violation has already
been recorded.

Limit the number of ToMToU integrity violations per file open for read.

Note: The IMA_MAY_EMIT_TOMTOU atomic flag must be set from the reader
side based on policy.  This may result in a per file open for read
ToMToU violation.

Since IMA_MUST_MEASURE is only used for violations, rename the atomic
IMA_MUST_MEASURE flag to IMA_MAY_EMIT_TOMTOU.

Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
[ adapted IMA flag definitions location from ima.h to integrity.h ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-09-19 16:32:01 +02:00
..
apparmor apparmor: use the condition in AA_BUG_FMT even with debug disabled 2025-08-28 16:28:28 +02:00
bpf bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0 2024-10-04 16:30:02 +02:00
integrity ima: limit the number of ToMToU integrity violations 2025-09-19 16:32:01 +02:00
keys security/keys: fix slab-out-of-bounds in key_task_permission 2024-11-14 13:19:30 +01:00
landlock landlock: Add the errata interface 2025-04-25 10:45:57 +02:00
loadpin
lockdown
safesetid safesetid: check size of policy writes 2025-02-17 09:40:06 +01:00
selinux selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len 2025-06-27 11:08:59 +01:00
smack smack: Revert "smackfs: Added check catlen" 2025-06-04 14:42:09 +02:00
tomoyo tomoyo: don't emit warning in tomoyo_write_control() 2025-02-17 09:40:07 +01:00
yama
commoncap.c
device_cgroup.c
inode.c securityfs: don't pin dentries twice, once is enough... 2025-08-28 16:28:15 +02:00
Kconfig proc: add config & param to block forcing mem writes 2024-10-10 11:57:27 +02:00
Kconfig.hardening
lsm_audit.c
Makefile
min_addr.c
security.c evm: don't copy up 'security.evm' xattr 2024-08-29 17:33:31 +02:00