I didn't configure the machine in question, but it looks like IMA is
enabled post-boot through an init.d script.
The IMA policy includes this line, which is probably of interest here:
audit func=FILE_MMAP mask=MAY_EXEC
On Fri, May 2, 2014 at 12:45 PM, <sf...@users.sourceforge.net> wrote:
>
> Matthew Riley:
>> I'm using Ubuntu 14.04, so 3.13 kernel.
>
> Thanks.
> But I've found ima, especially with the kernel parameter "ima_tcb" never
> work on my system.
>
> I am using
> - debian
> - sysvinit-utils pkg is installed
>
> and
>
> - boot with specifying "ima_tcb"
> - sysvinit-utils contains /sbin/startpar ("start runlevel scripts in
> parallel")
> - /sbin/startpar opens /etc/init.d/* with O_DIRECT (I don't know why
> direct-io is necessary here)
> - near the end of open(2), ima_file_check() is called. and then (roughly)
> + process_measurement()
> + ima_collect_measurement()
> + ima_calc_file_hash()
> + kernel_read()
> :::
> + ext2_direct_IO()
> :::
> + do_blockdev_direct_IO()
> are called.
> - in process_measurement(), ima aquires i_mutex. and
> do_blockdev_direct_IO() tries aquiring the same i_mutex.
> - deadlock happens.
>
> In other words, O_DIRECT and IMA don't cowork, at least with "ima_tcb".
> It surely cause a deadlock.
>
> I think I need
> - another test system,
> - alternative to sysvinit-utils (since O_DIRECT in /sbin/startpar is the
> trigger on my test system)
> or
> - I have to install another distribution (which doesn't use
> /sbin/startpar)
>
> Anyway it will take time. If you cannot wait the fix, I'd suggest you to
> comment out security_mmap_file() call in aufs_mmap() since it may be
> less important.
>
> By the way, are you specifying "ima_tcb", or do you have a
> config/customize file for ima? If you have, would you post the file
> here?
>
>
> J. R. Okajima
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
