Each time a file in policy, that is already opened for write, is opened for read, an open-writers integrity violation audit message is emitted and a violation record is added to the IMA measurement list.
Similarly each time a file in policy, that is already opened for read, is opened for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation audit message is emitted and a violation record is added to the IMA measurement list. As there is no benefit in having multiple open-writers or ToMToU violations for the same file open in the audit log and IMA measurement list, minimize them. Minimizing open-writer violations results in a single open-writers violation being emitted until all writers are closed no matter the number of subsequent file open readers (or writers). Minimizing ToMToU violations results in a single ToMToU violation being emitted for all subsequent file open writers, until another in policy file open reader. Since the IMA_MUST_MEASURE atomic flag is only used for tracking ToMToU violations, rename the atomic flag to IMA_MAY_EMIT_TOMTOU. Define a new atomic flag named IMA_EMITTED_OPENWRITERS to minimize open-writer violations. Mimi Zohar (2): ima: limit the number of open-writers integrity violations ima: limit the number of ToMToU integrity violations security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_main.c | 18 +++++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) -- 2.48.1
