| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220125224645.79319-11-stefanb@linux.vnet.ibm.com>
Date: Tue, 25 Jan 2022 17:46:32 -0500
From: Stefan Berger <stefanb@...ux.vnet.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v9 10/23] ima: Move IMA securityfs files into ima_namespace or onto stack
From: Stefan Berger <stefanb@...ux.ibm.com>
Only the securityfs IMA policy file is ever removed based on Kconfig
options. For this reason, move the IMA securityfs policy file variable
'ima_policy' into the ima_namespace.
Move the other IMA securityfs files onto the stack since they are not
needed outside the function where they are created in. Also, their cleanup
is automatically handled by the filesystem upon umount of a virtualized
securityfs instance, so they don't need to be explicitly freed.
In the failure cleanup path clean up the ima_policy dentry before
cleaning up the directories.
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
---
v9:
- Revert renaming of ima_policy to policy_dentry
---
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_fs.c | 36 ++++++++++++++++++---------------
2 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 1092c926daf9..94c6e3a4d666 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -142,6 +142,8 @@ struct ima_namespace {
struct mutex ima_write_mutex;
unsigned long ima_fs_flags;
int valid_policy;
+
+ struct dentry *ima_policy;
} __randomize_layout;
extern struct ima_namespace init_ima_ns;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 34132cc7de4d..3afb7a74d2cf 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -359,14 +359,6 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
return result;
}
-static struct dentry *ima_dir;
-static struct dentry *ima_symlink;
-static struct dentry *binary_runtime_measurements;
-static struct dentry *ascii_runtime_measurements;
-static struct dentry *runtime_measurements_count;
-static struct dentry *violations;
-static struct dentry *ima_policy;
-
enum ima_fs_flags {
IMA_FS_BUSY,
};
@@ -436,8 +428,8 @@ static int ima_release_policy(struct inode *inode, struct file *file)
ima_update_policy(ns);
#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
- securityfs_remove(ima_policy);
- ima_policy = NULL;
+ securityfs_remove(ns->ima_policy);
+ ns->ima_policy = NULL;
#elif defined(CONFIG_IMA_WRITE_POLICY)
clear_bit(IMA_FS_BUSY, &ns->ima_fs_flags);
#elif defined(CONFIG_IMA_READ_POLICY)
@@ -454,8 +446,15 @@ static const struct file_operations ima_measure_policy_ops = {
.llseek = generic_file_llseek,
};
-int __init ima_fs_init(void)
+static int __init ima_fs_ns_init(struct ima_namespace *ns)
{
+ struct dentry *ima_dir;
+ struct dentry *ima_symlink = NULL;
+ struct dentry *binary_runtime_measurements = NULL;
+ struct dentry *ascii_runtime_measurements = NULL;
+ struct dentry *runtime_measurements_count = NULL;
+ struct dentry *violations = NULL;
+
ima_dir = securityfs_create_dir("ima", integrity_dir);
if (IS_ERR(ima_dir))
return -1;
@@ -492,15 +491,15 @@ int __init ima_fs_init(void)
if (IS_ERR(violations))
goto out;
- ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
- ima_dir, NULL,
- &ima_measure_policy_ops);
- if (IS_ERR(ima_policy))
+ ns->ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
+ ima_dir, NULL,
+ &ima_measure_policy_ops);
+ if (IS_ERR(ns->ima_policy))
goto out;
return 0;
out:
- securityfs_remove(ima_policy);
+ securityfs_remove(ns->ima_policy);
securityfs_remove(violations);
securityfs_remove(runtime_measurements_count);
securityfs_remove(ascii_runtime_measurements);
@@ -509,3 +508,8 @@ int __init ima_fs_init(void)
securityfs_remove(ima_dir);
return -1;
}
+
+int __init ima_fs_init(void)
+{
+ return ima_fs_ns_init(&init_ima_ns);
+}
--
2.31.1
Powered by blists - more mailing lists