lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1264519015.3789.28.camel@dyn9002018117.watson.ibm.com>
Date:	Tue, 26 Jan 2010 10:16:55 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>,
	Hugh Dickins <hugh.dickins@...cali.co.uk>,
	James Morris <jmorris@...ei.org>,
	David Safford <safford@...son.ibm.com>,
	"Serge E. Hallyn" <serue@...ux.vnet.ibm.com>,
	Mimi Zohar <zohar@...ibm.com>
Subject: Re: [RFC PATCH 1/2] Fix 1 untangling ima mess, part 2 with counters

On Tue, 2010-01-26 at 13:03 +0000, Al Viro wrote:
> OK, this stuff is in for-next, with the following changes:
> 	* nfsd call has been moved to nfsd_open()
> 	* patches reordered
> 	* masking irrelevant bits (i.e. leaving only MAY_{READ,WRITE,EXEC})
> has been taken to ima_path_check(); all callers do it and it's safer that
> way anyway.
> 
> Please, see if it's OK with you in this form; other calls of dentry_open()
> are separate story, we'll have to see which ones should and which ones
> should not get ima_path_check().  Do you have any other problems with that
> one?  If not, it's going to migrate into for-linus and into the mainline;
> this stuff is definitely 2.6.33 fodder.

I'll look at the patches, but in the meantime we also needed the
following patch.

commit 8262bb85da4a71c4ff8c9b22e03aff11f8427b6d
Author: Eric Paris <eparis@...hat.com>
Date:   Wed Dec 9 15:29:01 2009 -0500

    ima: initialize ima before inodes can be allocated
    
    ima wants to create an inode information struct (iint) when inodes are
    allocated.  This means that at least the part of ima which does this
    allocation (the allocation is filled with information later) should
    before any inodes are created.  To accomplish this we split the ima
    initialization routine placing the kmem cache allocator inside a
    security_initcall() function.  Since this makes use of radix trees we also
    need to make sure that is initialized before security_initcall().
    
    Signed-off-by: Eric Paris <eparis@...hat.com>
    Acked-by: Mimi Zohar <zohar@...ux.vnet.ibm.com>

Index: security-testing-2.6/init/main.c
===================================================================
--- security-testing-2.6.orig/init/main.c
+++ security-testing-2.6/init/main.c
@@ -663,9 +663,9 @@ asmlinkage void __init start_kernel(void
 	proc_caches_init();
 	buffer_init();
 	key_init();
+	radix_tree_init();
 	security_init();
 	vfs_caches_init(totalram_pages);
-	radix_tree_init();
 	signals_init();
 	/* rootfs populating might need page-writeback */
 	page_writeback_init();
Index: security-testing-2.6/security/integrity/ima/ima.h
===================================================================
--- security-testing-2.6.orig/security/integrity/ima/ima.h
+++ security-testing-2.6/security/integrity/ima/ima.h
@@ -65,7 +65,6 @@ void integrity_audit_msg(int audit_msgno
 			 const char *cause, int result, int info);
 
 /* Internal IMA function definitions */
-void ima_iintcache_init(void);
 int ima_init(void);
 void ima_cleanup(void);
 int ima_fs_init(void);
Index: security-testing-2.6/security/integrity/ima/ima_iint.c
===================================================================
--- security-testing-2.6.orig/security/integrity/ima/ima_iint.c
+++ security-testing-2.6/security/integrity/ima/ima_iint.c
@@ -52,9 +52,6 @@ int ima_inode_alloc(struct inode *inode)
 	struct ima_iint_cache *iint = NULL;
 	int rc = 0;
 
-	if (!ima_initialized)
-		return 0;
-
 	iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
 	if (!iint)
 		return -ENOMEM;
@@ -118,8 +115,6 @@ void ima_inode_free(struct inode *inode)
 {
 	struct ima_iint_cache *iint;
 
-	if (!ima_initialized)
-		return;
 	spin_lock(&ima_iint_lock);
 	iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode);
 	spin_unlock(&ima_iint_lock);
@@ -141,9 +136,11 @@ static void init_once(void *foo)
 	kref_set(&iint->refcount, 1);
 }
 
-void __init ima_iintcache_init(void)
+static int __init ima_iintcache_init(void)
 {
 	iint_cache =
 	    kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0,
 			      SLAB_PANIC, init_once);
+	return 0;
 }
+security_initcall(ima_iintcache_init);
Index: security-testing-2.6/security/integrity/ima/ima_main.c
===================================================================
--- security-testing-2.6.orig/security/integrity/ima/ima_main.c
+++ security-testing-2.6/security/integrity/ima/ima_main.c
@@ -319,7 +319,6 @@ static int __init init_ima(void)
 {
 	int error;
 
-	ima_iintcache_init();
 	error = ima_init();
 	ima_initialized = 1;
 	return error;
 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ