| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b6aaf04b-c20f-64b7-1c4d-14aea032a773@linux.ibm.com>
Date: Thu, 16 Dec 2021 16:38:02 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Christian Brauner <christian.brauner@...ntu.com>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc: linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
serge@...lyn.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
James Bottomley <James.Bottomley@...senPartnership.com>
Subject: Re: [PATCH v7 14/14] ima: Setup securityfs for IMA namespace
On 12/16/21 08:51, Christian Brauner wrote:
>
>> +int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
>> {
>> struct ima_namespace *ns = user_ns->ima_ns;
>> - struct dentry *ima_dir;
>> + struct dentry *int_dir;
>> + struct dentry *ima_dir = NULL;
>> struct dentry *ima_symlink = NULL;
>> struct dentry *binary_runtime_measurements = NULL;
>> struct dentry *ascii_runtime_measurements = NULL;
>> struct dentry *runtime_measurements_count = NULL;
>> struct dentry *violations = NULL;
>>
>> - ima_dir = securityfs_create_dir("ima", integrity_dir);
>> + /* FIXME: update when evm and integrity are namespaced */
>> + if (user_ns != &init_user_ns) {
>> + int_dir =
>> + securityfs_create_dir("integrity", root);
>> + if (IS_ERR(int_dir))
>> + return -1;
> That should probably be return PTR_ERR(int_dir)
That's actually from current usptream (
https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_fs.c#L457
) The question is then whether at the end it should also return
something else than what it currently returns:
out:
securityfs_remove(violations);
[...]
securityfs_remove(ima_policy);
return -1;
Powered by blists - more mailing lists