lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <af944c80-aaa0-357d-eac3-f902c196fa0b@linux.ibm.com>
Date:   Thu, 27 Jan 2022 12:02:25 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Christian Brauner <brauner@...nel.org>,
        Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
        serge@...lyn.com, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v9 10/23] ima: Move IMA securityfs files into
 ima_namespace or onto stack


On 1/26/22 04:40, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:32PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@...ux.ibm.com>
>>
>> Only the securityfs IMA policy file is ever removed based on Kconfig
>> options. For this reason, move the IMA securityfs policy file variable
>> 'ima_policy' into the ima_namespace.
>>
>> Move the other IMA securityfs files onto the stack since they are not
>> needed outside the function where they are created in. Also, their cleanup
>> is automatically handled by the filesystem upon umount of a virtualized
>> securityfs instance, so they don't need to be explicitly freed.
> I'd reverse the explantion in the commit and mention the securityfs
> change that makes this move possible which is patch 3 in this version of
> the series ("securityfs: rework dentry creation"); something like:
>
> 	Earlier we simplified how dentry creation and deletion is manged in
> 	securityfs. This allows us to move IMA securityfs files from global
> 	variables directly into ima_fs_ns_init() itself. We can now rely on
> 	those dentries to be cleaned up when the securityfs instance is cleaned
> 	when the last reference to it is dropped.
> 	
> 	Things are slightly different for the initial ima namespace. In contrast
> 	to non-initial ima namespaces it has pinning logic binding the lifetime
> 	of the securityfs superblock to created dentries. We need to keep this
> 	behavior to not regress userspace. Since ima never removes most of the
> 	securityfs files the initial securityfs instance stays pinned. This also
> 	means even for the initial ima namespace we don't need to keep
> 	references to these dentries anywhere.
> 	
> 	The ima_policy file is the exception since ima can end up removing it if
> 	a non-default policy is written at some point.
>
> Last sentence should be checked for sensibility by ima folks.

I remove the if clause and took the other text as-is...

Thanks.

    Stefan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ