All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, roberto.sassu@polito.it
Cc: linux-kernel@vger.kernel.org, dmitry.kasatkin@gmail.com,
	Dmitry Kasatkin <d.kasatkin@samsung.com>
Subject: [PATCH 1/1] ima: check ima_policy_flag in the ima_file_free() hook
Date: Thu, 02 Oct 2014 12:21:44 +0300	[thread overview]
Message-ID: <2b752cc0ffc2738b9b0b69878ca6c304a6e3eb4b.1412241704.git.d.kasatkin@samsung.com> (raw)
In-Reply-To: <542D0C33.2010700@polito.it>

ima_file_free() checks 'iint_initialized' unnecessarily, because
S_IMA flag would not be set if iint was not allocated. At the
same time integrity cache is allocated with SLAB_PANIC and kernel
will panic if allocation fails during kernel initialization.
So on running system iint_initialized is always true and can be
removed.

This patch uses lately introduced ima_policy_flag to test if IMA
is enabled by policy.

Changes in v3:
* not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)

Changes in v2:
* 'iint_initialized' removal patch merged to this patch (requested
   by Mimi)

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 security/integrity/iint.c         | 3 ---
 security/integrity/ima/ima_main.c | 2 +-
 security/integrity/integrity.h    | 3 ---
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index a521edf..cc3eb4d 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -25,8 +25,6 @@ static struct rb_root integrity_iint_tree = RB_ROOT;
 static DEFINE_RWLOCK(integrity_iint_lock);
 static struct kmem_cache *iint_cache __read_mostly;
 
-int iint_initialized;
-
 /*
  * __integrity_iint_find - return the iint associated with an inode
  */
@@ -166,7 +164,6 @@ static int __init integrity_iintcache_init(void)
 	iint_cache =
 	    kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
 			      0, SLAB_PANIC, init_once);
-	iint_initialized = 1;
 	return 0;
 }
 security_initcall(integrity_iintcache_init);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 62f59ec..72faf0b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -143,7 +143,7 @@ void ima_file_free(struct file *file)
 	struct inode *inode = file_inode(file);
 	struct integrity_iint_cache *iint;
 
-	if (!iint_initialized || !S_ISREG(inode->i_mode))
+	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
 		return;
 
 	iint = integrity_iint_find(inode);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index aafb468..f51ad65 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -169,6 +169,3 @@ static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
 {
 }
 #endif
-
-/* set during initialization */
-extern int iint_initialized;
-- 
1.9.1


  reply	other threads:[~2014-10-02  9:22 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-01 18:43 [PATCH v2 0/4] integrity: few code cleanups Dmitry Kasatkin
2014-10-01 18:43 ` [PATCH v2 1/4] integrity: add missing '__init' keyword for integrity_init_keyring() Dmitry Kasatkin
2014-10-01 18:43 ` [PATCH v2 2/4] evm: skip replacing EVM signature with HMAC on read-only filesystem Dmitry Kasatkin
2014-10-01 18:43 ` [PATCH v2 3/4] ima: check appraisal flag in the ima_file_free() hook Dmitry Kasatkin
2014-10-02  8:26   ` [Linux-ima-devel] " Roberto Sassu
2014-10-02  9:21     ` Dmitry Kasatkin [this message]
2014-10-02  9:30     ` Dmitry Kasatkin
2014-10-02 10:06       ` Roberto Sassu
2014-10-02 10:43         ` Dmitry Kasatkin
2014-10-02 11:42           ` Roberto Sassu
2014-10-02 13:03             ` Mimi Zohar
2014-10-02 13:12               ` Dmitry Kasatkin
2014-10-01 18:43 ` [PATCH v2 4/4] ima: use path names cache Dmitry Kasatkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2b752cc0ffc2738b9b0b69878ca6c304a6e3eb4b.1412241704.git.d.kasatkin@samsung.com \
    --to=d.kasatkin@samsung.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@polito.it \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.