[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230206140253.3755945-21-stefanb@linux.ibm.com>
Date: Mon, 6 Feb 2023 09:02:47 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: zohar@...ux.ibm.com, serge@...lyn.com, brauner@...nel.org,
containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
paul@...l-moore.com, rgb@...hat.com,
linux-security-module@...r.kernel.org, jmorris@...ei.org,
jpenumak@...hat.com, Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v15 20/26] ima: Remove unused iints from the integrity_iint_cache
When the rbtree of an IMA namespace is torn down, also remove those iints
that are completely unused since only the torn-down namespace stored data
about the associated inode in it.
An iint is unused when the following two conditions are met:
- Its ns_status list is empty which means that no IMA namespace
currently has auditing related state stored in it.
- The iint's flags don't contain any of the flags IMA_MEASURE,
IMA_APPRAISE or IMA_HASH that the host would still store there.
It doesn't need an ns_status list for these but also only for
IMA_AUDIT.
Introduce the #define IMA_IINT_FLAGS that represent the mask to test the
iint->flags with in this case. This test provides the reason to keep the
iint if any of these flags are set.
The IMA_IINT_FLAGS mask will loose its flags as more flags are namespaced
and can then be removed in the end and only the check for the empty list
will remain.
Process the list of garbage-collected ns_status outside the locking of
the ns_status tree and related lock-group and free any iint that was
previously found to be unused while walking the list. File accesses, that
may have happened in the meantime, could have re-activated the iint and
therefore pass along the test function to check whether the iint is still
unused.
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
---
v11:
- change write_lock to read_lock in callback
---
security/integrity/iint.c | 4 +++
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_ns_status.c | 43 +++++++++++++++++++++++++-
security/integrity/integrity.h | 1 +
4 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 4580df0e716e..b0996bd0ee67 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -158,6 +158,10 @@ void integrity_inode_free(struct inode *inode, iint_removable_cb check)
write_lock(&integrity_iint_lock);
iint = __integrity_iint_find(inode);
+ if (!iint) {
+ write_unlock(&integrity_iint_lock);
+ return;
+ }
if (check)
freeit = check(iint);
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 4ac937c2c039..dfbe1a59b9a1 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -502,6 +502,8 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
#define IMA_NS_STATUS_ACTIONS IMA_AUDIT
#define IMA_NS_STATUS_FLAGS (IMA_AUDIT | IMA_AUDITED)
+#define IMA_IINT_FLAGS (IMA_MEASURE | IMA_APPRAISE | IMA_HASH)
+
static inline unsigned long iint_flags(struct integrity_iint_cache *iint,
struct ns_status *ns_status)
{
diff --git a/security/integrity/ima/ima_ns_status.c b/security/integrity/ima/ima_ns_status.c
index 9c753caad6ac..32d75dbd9c21 100644
--- a/security/integrity/ima/ima_ns_status.c
+++ b/security/integrity/ima/ima_ns_status.c
@@ -131,6 +131,26 @@ static void ns_status_free(struct ima_namespace *ns,
kmem_cache_free(ns->ns_status_cache, ns_status);
}
+/* Test whether an iint is unused due to empty ns_status list AND the
+ * not-yet namespaced flags are not set on it.
+ */
+static bool __iint_is_unused(struct integrity_iint_cache *iint)
+{
+ return list_empty(&iint->ns_list) &&
+ (iint_flags(iint, NULL) & IMA_IINT_FLAGS) == 0;
+}
+
+static bool iint_is_unused(struct integrity_iint_cache *iint)
+{
+ bool ret;
+
+ read_lock(&iint->ns_list_lock);
+ ret = __iint_is_unused(iint);
+ read_unlock(&iint->ns_list_lock);
+
+ return ret;
+}
+
/*
* ima_free_ns_status_tree - free all items on the ns_status_tree and take each
* one off the list; yield to ns_list free'ers
@@ -161,6 +181,18 @@ void ima_free_ns_status_tree(struct ima_namespace *ns)
if (!list_empty(&ns_status->ns_next)) {
list_del_init(&ns_status->ns_next);
llist_add(&ns_status->gc_llist, &garbage);
+
+ /*
+ * While ns_status->iint is guaranteed to be
+ * there, check whether the iint is still in
+ * use by anyone at this moment.
+ */
+ if (__iint_is_unused(ns_status->iint)) {
+ ns_status->inode_to_remove =
+ ns_status->iint->inode;
+ } else {
+ ns_status->inode_to_remove = NULL;
+ }
ctr++;
}
write_unlock(&ns_status->iint->ns_list_lock);
@@ -180,8 +212,17 @@ void ima_free_ns_status_tree(struct ima_namespace *ns)
} while (restart);
node = llist_del_all(&garbage);
- llist_for_each_entry_safe(ns_status, next, node, gc_llist)
+ llist_for_each_entry_safe(ns_status, next, node, gc_llist) {
+ if (ns_status->inode_to_remove) {
+ /*
+ * Pass along the test function in case inode is in
+ * use now.
+ */
+ integrity_inode_free(ns_status->inode_to_remove,
+ iint_is_unused);
+ }
ns_status_free(ns, ns_status);
+ }
kmem_cache_destroy(ns->ns_status_cache);
}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a5d94593e1..0634320a6bc2 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -167,6 +167,7 @@ struct ns_status {
ino_t i_ino;
u32 i_generation;
struct llist_node gc_llist; /* used while freeing */
+ void *inode_to_remove; /* used while freeing */
#endif
};
--
2.37.3
Powered by blists - more mailing lists