From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org
Cc: serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v9 16/23] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace
Date: Fri, 28 Jan 2022 09:02:23 -0500 [thread overview]
Message-ID: <258c7c5e1aebfc9376560549794d43e744654713.camel@linux.ibm.com> (raw)
In-Reply-To: <20220125224645.79319-17-stefanb@linux.vnet.ibm.com>
Hi Stefan,
On Tue, 2022-01-25 at 17:46 -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> Implement ima_free_policy_rules() that is needed when an ima_namespace
> is freed.
>
> Only reset temp_ima_appraise when using init_ima_ns.
Instead of having to walk the policy rules to know if there are any
"appraise" rules, the ima_appraise flag is set. For now, only reset
temp_ima_appraise flag on failed policy rule updates for init_ima_ns.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> ---
> v9:
> - Only reset temp_ima_appraise when using init_ima_ns.
> ---
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_policy.c | 20 +++++++++++++++++++-
> 2 files changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index aea8fb8d2854..8c757223d549 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -329,6 +329,7 @@ void ima_update_policy_flags(struct ima_namespace *ns);
> ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule);
> void ima_delete_rules(struct ima_namespace *ns);
> int ima_check_policy(struct ima_namespace *ns);
> +void ima_free_policy_rules(struct ima_namespace *ns);
> void *ima_policy_start(struct seq_file *m, loff_t *pos);
> void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e8140e73d80b..47f2d1b5d156 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1880,13 +1880,31 @@ void ima_delete_rules(struct ima_namespace *ns)
> {
> struct ima_rule_entry *entry, *tmp;
>
> - temp_ima_appraise = 0;
> + if (ns == &init_ima_ns)
> + temp_ima_appraise = 0;
> +
> list_for_each_entry_safe(entry, tmp, &ns->ima_temp_rules, list) {
> list_del(&entry->list);
> ima_free_rule(entry);
> }
> }
>
> +/**
> + * ima_free_policy_rules - free all policy rules
> + * @ns: IMA namespace that has the policy
> + */
> +void ima_free_policy_rules(struct ima_namespace *ns)
> +{
> + struct ima_rule_entry *entry, *tmp;
> +
> + ima_delete_rules(ns);
When the IMA policy is being extended, new rules are temporarily added
to the ima_temp_rules list. If the entire set of rules being added are
valid, they're appended to the tail.
There shouldn't be any rules on the ima_temp_rules list unless the
policy is currently being extended. Is that possible at this point?
> +
> + list_for_each_entry_safe(entry, tmp, &ns->ima_policy_rules, list) {
> + list_del(&entry->list);
> + ima_free_rule(entry);
> + }
> +}
> +
> #define __ima_hook_stringify(func, str) (#func),
>
> const char *const func_tokens[] = {
thanks,
Mimi
next prev parent reply other threads:[~2022-01-28 14:03 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 22:46 [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-01-25 22:46 ` [PATCH v9 01/23] ima: Remove ima_policy file before directory Stefan Berger
2022-01-26 8:30 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels Stefan Berger
2022-01-26 8:38 ` Christian Brauner
2022-01-27 14:12 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 03/23] securityfs: rework dentry creation Stefan Berger
2022-01-25 22:46 ` [PATCH v9 04/23] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-01-27 16:53 ` Mimi Zohar
2022-01-31 22:28 ` Stefan Berger
2022-01-31 23:43 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 05/23] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-01-26 8:47 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 06/23] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-01-26 9:11 ` Christian Brauner
2022-01-27 19:42 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 07/23] ima: Move ima_htable " Stefan Berger
2022-01-26 9:16 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 08/23] ima: Move measurement list related variables " Stefan Berger
2022-01-26 9:21 ` Christian Brauner
2022-01-26 22:23 ` Stefan Berger
2022-01-27 21:48 ` Mimi Zohar
2022-01-28 14:06 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 09/23] ima: Move some IMA policy and filesystem " Stefan Berger
2022-01-26 9:23 ` Christian Brauner
2022-01-27 22:30 ` Mimi Zohar
2022-01-28 15:44 ` Stefan Berger
2022-01-28 16:03 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 10/23] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-01-26 9:40 ` Christian Brauner
2022-01-27 17:02 ` Stefan Berger
2022-01-28 3:13 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 11/23] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-01-26 13:05 ` Christian Brauner
2022-01-26 21:54 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 12/23] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-01-26 13:43 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 13/23] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-01-26 13:44 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 14/23] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-01-26 14:46 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 15/23] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-01-26 12:39 ` Christian Brauner
2022-01-26 22:05 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 16/23] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-01-28 14:02 ` Mimi Zohar [this message]
2022-01-31 18:56 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 17/23] ima: Add functions for creating and " Stefan Berger
2022-01-26 13:56 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 18/23] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-01-25 22:46 ` [PATCH v9 19/23] ima: Namespace audit status flags Stefan Berger
2022-01-25 22:46 ` [PATCH v9 20/23] ima: Setup securityfs for IMA namespace Stefan Berger
2022-01-26 14:03 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 21/23] ima: Introduce securityfs file to activate an " Stefan Berger
2022-01-26 14:31 ` Christian Brauner
2022-01-27 15:24 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-01-26 14:43 ` Christian Brauner
2022-01-26 14:43 ` Christian Brauner
2022-01-26 23:13 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 23/23] ima: Enable IMA namespaces Stefan Berger
2022-01-26 14:57 ` Christian Brauner
2022-01-26 13:19 ` [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2022-01-28 18:34 ` Stefan Berger
2022-01-26 16:52 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=258c7c5e1aebfc9376560549794d43e744654713.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=stefanb@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).