diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2009-06-04 21:53:10 +0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-06-05 02:02:39 +0400 |
commit | 04288f42033607099cebf5ca15ce8dcec3a9688b (patch) | |
tree | 41d07beeefcadc4c591699c779406f556cc3433b | |
parent | bcb86975dbcc24f820f1a37918d53914af29ace7 (diff) | |
download | linux-04288f42033607099cebf5ca15ce8dcec3a9688b.tar.xz |
integrity: ima audit dentry_open failure
Until we start appraising measurements, the ima_path_check()
return code should always be 0.
- Update the ima_path_check() return code comment
- Instead of the pr_info, audit the dentry_open failure
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/integrity/ima/ima_main.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index a2eb23310eaf..6f611874d10e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -149,8 +149,8 @@ static void ima_update_counts(struct ima_iint_cache *iint, int mask) * - Opening a file for read when already open for write, * could result in a file measurement error. * - * Return 0 on success, an error code on failure. - * (Based on the results of appraise_measurement().) + * Always return 0 and audit dentry_open failures. + * (Return code will be based upon measurement appraisal.) */ int ima_path_check(struct path *path, int mask, int update_counts) { @@ -189,8 +189,13 @@ int ima_path_check(struct path *path, int mask, int update_counts) file = dentry_open(dentry, mnt, O_RDONLY | O_LARGEFILE, current_cred()); if (IS_ERR(file)) { - pr_info("%s dentry_open failed\n", dentry->d_name.name); - rc = PTR_ERR(file); + int audit_info = 0; + + integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, + dentry->d_name.name, + "add_measurement", + "dentry_open failed", + 1, audit_info); file = NULL; goto out; } |