| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220524150551.GA14813@mail.hallyn.com>
Date: Tue, 24 May 2022 10:05:51 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Stefan Berger <stefanb@...ux.ibm.com>
Cc: "Serge E. Hallyn" <serge@...lyn.com>,
linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
christian.brauner@...ntu.com, containers@...ts.linux.dev,
dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
jpenumak@...hat.com, Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v12 03/26] ima: Define ima_namespace struct and start
moving variables into it
On Tue, May 24, 2022 at 10:57:13AM -0400, Stefan Berger wrote:
>
>
> On 5/20/22 22:33, Serge E. Hallyn wrote:
>
> > > diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
> > > index 93056c03bf5a..e366a21dd8be 100644
> > > --- a/security/integrity/ima/ima_queue_keys.c
> > > +++ b/security/integrity/ima/ima_queue_keys.c
> > > @@ -10,6 +10,7 @@
> > > #include <linux/user_namespace.h>
> > > #include <linux/workqueue.h>
> > > +#include <linux/ima.h>
> > > #include <keys/asymmetric-type.h>
> > > #include "ima.h"
> > > @@ -42,7 +43,7 @@ static bool timer_expired;
> > > static void ima_keys_handler(struct work_struct *work)
> > > {
> > > timer_expired = true;
> > > - ima_process_queued_keys();
> > > + ima_process_queued_keys(&init_ima_ns);
> > > }
> > > /*
> > > @@ -130,11 +131,15 @@ bool ima_queue_key(struct key *keyring, const void *payload,
> > > * This function sets ima_process_keys to true and processes queued keys.
> > > * From here on keys will be processed right away (not queued).
> > > */
> > > -void ima_process_queued_keys(void)
> > > +void ima_process_queued_keys(struct ima_namespace *ns)
> > > {
> > > struct ima_key_entry *entry, *tmp;
> > > bool process = false;
> > > + /* only applies to init_ima_ns */
> >
> > Hm, yes, it seems to, but it should be unreachable with
> > ns != &init_ima_ns, ever, right?
> >
> > So it seems better to either not have this hunk at all, (both
> > here and at ima_keys_handler()) or to actually have a BUG_ON.
> >
> > Or am I completely misreading the situation?
>
> No, you are right. This function is only calledwith ns = &init_ima_ns at the
> moment. How about changing it to this here?
>
> if (WARN_ON(ns != &init_ima_ns))
> return;
Sounds good, thanks.
Powered by blists - more mailing lists