lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d53a66a2-17e2-54b3-f115-efd7c58080a7@linux.ibm.com>
Date:   Tue, 18 Jan 2022 15:12:59 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        Stefan Berger <stefanb@...ux.vnet.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     serge@...lyn.com, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v8 07/19] ima: Move dentry into ima_namespace and others
 onto stack


On 1/13/22 15:28, Mimi Zohar wrote:
> Hi Stefan,
>
> Nobody refers to the IMA securityfs files as dentries.  The Subject
> line is suppose to provide a hint about the patch.  How about changing
> the "Subject" line to "ima: Move IMA securityfs files into
> ima_namespaces or onto stack".
>
> On Tue, 2022-01-04 at 12:04 -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@...ux.ibm.com>
>>
>> Move the policy file dentry into the ima_namespace for reuse by
>> virtualized SecurityFS and for being able to remove it from
>> the filesystem. Move the other dentries onto the stack.
> Missing is an explanation why the other IMA securityfs files can be on
> the stack.  Maybe start out by saying that the ns_ima_init securityfs
> files are never deleted.  Then transition into the IMA namespaced
> securityfs files and how they will be deleted.

How about this:

ima: Move IMA securityfs files into ima_namespace or onto stack

Move the IMA policy file's dentry into the ima_namespace for reuse by
virtualized securityfs and for being able to remove the file from the
filesystem using securityfs_remove().

Move the other files' dentries onto the stack since they are not needed
outside the function where they are created in. Also, their cleanup is
automatically handled by the filesystem upon umount of a virtualized
secruityfs instance, so they don't need to be explicitly freed anymore.

When moving the dentry 'ima_policy' into ima_namespace rename it to
'policy_dentry' to clarify its datatype and avoid a name clash with
'int ima_policy' from ima_policy.c.

    Stefan



>> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
>> ---
>>   security/integrity/ima/ima.h    |  2 ++
>>   security/integrity/ima/ima_fs.c | 32 ++++++++++++++++++--------------
>>   2 files changed, 20 insertions(+), 14 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>> index 82b3f6a98320..224b09617c52 100644
>> --- a/security/integrity/ima/ima.h
>> +++ b/security/integrity/ima/ima.h
>> @@ -140,6 +140,8 @@ struct ima_namespace {
>>   	struct mutex ima_write_mutex;
>>   	unsigned long ima_fs_flags;
>>   	int valid_policy;
>> +
>> +	struct dentry *policy_dentry;
> None of the other securityfs files are renamed.  Why is "ima_policy"
> being renamed to "policy_dentry"?  If there is a need, it should be
> documented in the patch description.
>
> thanks,
>
> Mimi
>
>>   } __randomize_layout;
>>   extern struct ima_namespace init_ima_ns;
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ