From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, jpenumak@redhat.com,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v12 20/26] ima: Remove unused iints from the integrity_iint_cache
Date: Wed, 20 Apr 2022 10:06:27 -0400 [thread overview]
Message-ID: <20220420140633.753772-21-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com>
When the rbtree of an IMA namespace is torn down, also remove those iints
that are completely unused since only the torn-down namespace stored data
about the associated inode in it.
An iint is unused when the following two conditions are met:
- Its ns_status list is empty which means that no IMA namespace
currently has auditing related state stored in it.
- The iint's flags don't contain any of the flags IMA_MEASURE,
IMA_APPRAISE or IMA_HASH that the host would still store there.
It doesn't need an ns_status list for these but also only for
IMA_AUDIT.
Introduce the #define IMA_IINT_FLAGS that represent the mask to test the
iint->flags with in this case. This test provides the reason to keep the
iint if any of these flags are set.
The IMA_IINT_FLAGS mask will loose its flags as more flags are namespaced
and can then be removed in the end and only the check for the empty list
will remain.
Process the list of garbage-collected ns_status outside the locking of
the ns_status tree and related lock-group and free any iint that was
previously found to be unused while walking the list. File accesses, that
may have happened in the meantime, could have re-activated the iint and
therefore pass along the test function to check whether the iint is still
unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
v11:
- change write_lock to read_lock in callback
---
security/integrity/iint.c | 4 +++
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_ns_status.c | 43 +++++++++++++++++++++++++-
security/integrity/integrity.h | 1 +
4 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 4580df0e716e..b0996bd0ee67 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -158,6 +158,10 @@ void integrity_inode_free(struct inode *inode, iint_removable_cb check)
write_lock(&integrity_iint_lock);
iint = __integrity_iint_find(inode);
+ if (!iint) {
+ write_unlock(&integrity_iint_lock);
+ return;
+ }
if (check)
freeit = check(iint);
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b7e1f4b5eb30..cb48fc1d5b80 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -501,6 +501,8 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
#define IMA_NS_STATUS_ACTIONS IMA_AUDIT
#define IMA_NS_STATUS_FLAGS (IMA_AUDIT | IMA_AUDITED)
+#define IMA_IINT_FLAGS (IMA_MEASURE | IMA_APPRAISE | IMA_HASH)
+
static inline unsigned long iint_flags(struct integrity_iint_cache *iint,
struct ns_status *ns_status)
{
diff --git a/security/integrity/ima/ima_ns_status.c b/security/integrity/ima/ima_ns_status.c
index 9c753caad6ac..32d75dbd9c21 100644
--- a/security/integrity/ima/ima_ns_status.c
+++ b/security/integrity/ima/ima_ns_status.c
@@ -131,6 +131,26 @@ static void ns_status_free(struct ima_namespace *ns,
kmem_cache_free(ns->ns_status_cache, ns_status);
}
+/* Test whether an iint is unused due to empty ns_status list AND the
+ * not-yet namespaced flags are not set on it.
+ */
+static bool __iint_is_unused(struct integrity_iint_cache *iint)
+{
+ return list_empty(&iint->ns_list) &&
+ (iint_flags(iint, NULL) & IMA_IINT_FLAGS) == 0;
+}
+
+static bool iint_is_unused(struct integrity_iint_cache *iint)
+{
+ bool ret;
+
+ read_lock(&iint->ns_list_lock);
+ ret = __iint_is_unused(iint);
+ read_unlock(&iint->ns_list_lock);
+
+ return ret;
+}
+
/*
* ima_free_ns_status_tree - free all items on the ns_status_tree and take each
* one off the list; yield to ns_list free'ers
@@ -161,6 +181,18 @@ void ima_free_ns_status_tree(struct ima_namespace *ns)
if (!list_empty(&ns_status->ns_next)) {
list_del_init(&ns_status->ns_next);
llist_add(&ns_status->gc_llist, &garbage);
+
+ /*
+ * While ns_status->iint is guaranteed to be
+ * there, check whether the iint is still in
+ * use by anyone at this moment.
+ */
+ if (__iint_is_unused(ns_status->iint)) {
+ ns_status->inode_to_remove =
+ ns_status->iint->inode;
+ } else {
+ ns_status->inode_to_remove = NULL;
+ }
ctr++;
}
write_unlock(&ns_status->iint->ns_list_lock);
@@ -180,8 +212,17 @@ void ima_free_ns_status_tree(struct ima_namespace *ns)
} while (restart);
node = llist_del_all(&garbage);
- llist_for_each_entry_safe(ns_status, next, node, gc_llist)
+ llist_for_each_entry_safe(ns_status, next, node, gc_llist) {
+ if (ns_status->inode_to_remove) {
+ /*
+ * Pass along the test function in case inode is in
+ * use now.
+ */
+ integrity_inode_free(ns_status->inode_to_remove,
+ iint_is_unused);
+ }
ns_status_free(ns, ns_status);
+ }
kmem_cache_destroy(ns->ns_status_cache);
}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 33084ab2addd..b3460517344a 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -144,6 +144,7 @@ struct ns_status {
ino_t i_ino;
u32 i_generation;
struct llist_node gc_llist; /* used while freeing */
+ void *inode_to_remove; /* used while freeing */
#endif
};
--
2.34.1
next prev parent reply other threads:[~2022-04-20 14:07 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 14:06 [PATCH v12 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 01/26] securityfs: rework dentry creation Stefan Berger
2022-05-09 19:54 ` Serge E. Hallyn
2022-05-09 20:36 ` Serge E. Hallyn
2022-05-10 8:43 ` Amir Goldstein
2022-05-10 10:38 ` Christian Brauner
2022-05-10 14:51 ` Serge E. Hallyn
2022-05-10 14:53 ` Serge E. Hallyn
2022-05-10 10:26 ` Christian Brauner
2022-05-10 10:25 ` Christian Brauner
2022-05-10 14:10 ` Serge E. Hallyn
2022-05-10 15:51 ` Christian Brauner
2022-05-10 18:51 ` Serge E. Hallyn
2022-05-10 20:41 ` Serge E. Hallyn
2022-06-09 14:27 ` Mimi Zohar
2022-05-10 16:50 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-05-21 2:23 ` Serge E. Hallyn
2022-05-21 9:38 ` Christian Brauner
2022-05-21 15:09 ` Serge E. Hallyn
2022-07-07 14:34 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-05-21 2:33 ` Serge E. Hallyn
2022-05-24 14:57 ` Stefan Berger
2022-05-24 15:05 ` Serge E. Hallyn
2022-05-24 16:18 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-05-21 2:46 ` Serge E. Hallyn
2022-05-21 3:07 ` Serge E. Hallyn
2022-07-07 14:12 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 05/26] ima: Move ima_htable " Stefan Berger
2022-05-21 2:50 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 06/26] ima: Move measurement list related variables " Stefan Berger
2022-05-21 2:55 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2022-05-21 3:03 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-05-21 3:24 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-05-22 2:35 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-05-22 17:06 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-05-22 17:31 ` Serge E. Hallyn
2022-05-24 14:17 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-05-22 17:38 ` Serge E. Hallyn
2022-05-24 13:25 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-05-22 18:24 ` Serge E. Hallyn
2022-05-23 9:59 ` Christian Brauner
2022-05-23 11:31 ` Stefan Berger
2022-05-23 12:41 ` Christian Brauner
2022-05-23 12:58 ` Stefan Berger
2022-05-23 14:25 ` Serge E. Hallyn
2022-07-07 14:14 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-05-23 0:42 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-05-23 0:43 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 16/26] ima: Add functions for creating and " Stefan Berger
2022-05-30 1:07 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-04-20 14:06 ` [PATCH v12 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-04-20 14:06 ` [PATCH v12 19/26] ima: Namespace audit status flags Stefan Berger
2022-04-20 14:06 ` Stefan Berger [this message]
2022-04-20 14:06 ` [PATCH v12 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2022-05-30 1:16 ` Serge E. Hallyn
2022-05-31 19:26 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2022-04-20 14:06 ` [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-05-22 17:54 ` Serge E. Hallyn
2022-05-24 13:19 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 25/26] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 26/26] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220420140633.753772-21-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.