All of lore.kernel.org
 help / color / mirror / Atom feed
* New flag to super block for IMA
@ 2012-09-04 19:37 Kasatkin, Dmitry
  2012-09-10  6:37 ` Kasatkin, Dmitry
  0 siblings, 1 reply; 2+ messages in thread
From: Kasatkin, Dmitry @ 2012-09-04 19:37 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-security-module, linux-fsdevel, Mimi Zohar

Hello Al,

Certain file system types and partitions will never be measured or
appraised depending on the IMA policy.
For example, pseudo file systems are not measured and appraised.
In upstream IMA implementation policy will be checked again and again
for every inode in the filesystem.
It happens thousands times per second. That is absolute waste of CPU
and may be batter resources.

To overcome such issue I would like to have a flag in super block data
structure which can be set once if IMA
does not need to measure anything from a partition.. The flag might be
tested by ima hooks to return without doing anything.

I looked to <linux/fs.h> and found that there is a possibility to to
add additional flag for sb->s_flags.
For example

#define MS_NOT_IMA		(1<<25) /* NOT_IMA */
#define IS_I_NOT_IMA(inode)   __IS_FLG(inode, MS_NOT_IMA)


Another way is to add additional dedicated member to the sb structure.

Can you please advice about this?

Thanks,
Dmitry

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: New flag to super block for IMA
  2012-09-04 19:37 New flag to super block for IMA Kasatkin, Dmitry
@ 2012-09-10  6:37 ` Kasatkin, Dmitry
  0 siblings, 0 replies; 2+ messages in thread
From: Kasatkin, Dmitry @ 2012-09-10  6:37 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-security-module, linux-fsdevel, Mimi Zohar

Hello,

Anyone can give a comment about it?


- Dmitry


On Tue, Sep 4, 2012 at 10:37 PM, Kasatkin, Dmitry
<dmitry.kasatkin@intel.com> wrote:
> Hello Al,
>
> Certain file system types and partitions will never be measured or
> appraised depending on the IMA policy.
> For example, pseudo file systems are not measured and appraised.
> In upstream IMA implementation policy will be checked again and again
> for every inode in the filesystem.
> It happens thousands times per second. That is absolute waste of CPU
> and may be batter resources.
>
> To overcome such issue I would like to have a flag in super block data
> structure which can be set once if IMA
> does not need to measure anything from a partition.. The flag might be
> tested by ima hooks to return without doing anything.
>
> I looked to <linux/fs.h> and found that there is a possibility to to
> add additional flag for sb->s_flags.
> For example
>
> #define MS_NOT_IMA              (1<<25) /* NOT_IMA */
> #define IS_I_NOT_IMA(inode)   __IS_FLG(inode, MS_NOT_IMA)
>
>
> Another way is to add additional dedicated member to the sb structure.
>
> Can you please advice about this?
>
> Thanks,
> Dmitry

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-10  6:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-04 19:37 New flag to super block for IMA Kasatkin, Dmitry
2012-09-10  6:37 ` Kasatkin, Dmitry

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.