IMA: remove read permissions on the ima policy file
Eric Paris [Tue, 12 May 2009 19:13:55 +0000 (15:13 -0400)]
The IMA policy file does not implement read.  Trying to just open/read/close
the file will load a blank policy and you cannot then change the policy
without a reboot.  This removes the read permission from the file so one must
at least be attempting to write...

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

security/integrity/ima/ima_fs.c

index ffbe259..3305a96 100644 (file)
@@ -15,6 +15,7 @@
  *     implemenents security file system for reporting
  *     current measurement list and IMA statistics
  */
+#include <linux/fcntl.h>
 #include <linux/module.h>
 #include <linux/seq_file.h>
 #include <linux/rculist.h>
@@ -283,6 +284,9 @@ static atomic_t policy_opencount = ATOMIC_INIT(1);
  */
 int ima_open_policy(struct inode * inode, struct file * filp)
 {
+       /* No point in being allowed to open it if you aren't going to write */
+       if (!(filp->f_flags & O_WRONLY))
+               return -EACCES;
        if (atomic_dec_and_test(&policy_opencount))
                return 0;
        return -EBUSY;
@@ -349,7 +353,7 @@ int ima_fs_init(void)
                goto out;
 
        ima_policy = securityfs_create_file("policy",
-                                           S_IRUSR | S_IRGRP | S_IWUSR,
+                                           S_IWUSR,
                                            ima_dir, NULL,
                                            &ima_measure_policy_ops);
        if (IS_ERR(ima_policy))