| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9c8979adb9b575d2f938043f61e2be82c898632a.camel@huaweicloud.com> Date: Wed, 27 Nov 2024 16:57:27 +0100 From: Roberto Sassu <roberto.sassu@...weicloud.com> To: Shu Han <ebpqwerty472123@...il.com> Cc: zohar@...ux.ibm.com, dmitry.kasatkin@...il.com, eric.snowberg@...cle.com, paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org, Roberto Sassu <roberto.sassu@...wei.com> Subject: Re: [PATCH 1/3] ima: Remove inode lock On Wed, 2024-10-09 at 23:59 +0800, Shu Han wrote: > > Finally, expand the critical region in process_measurement() > > guarded by > > iint->mutex up to where the inode was locked, use only one iint > > lock in > > __ima_inode_hash(), since the mutex is now in the inode security > > blob, and > > replace the inode_lock()/inode_unlock() calls in > > ima_check_last_writer(). > > I am not familiar with this, so the following statement may be > inaccurate: > > I suspect that modifying the `i_flags` field through > `inode->i_flags |= S_IMA;` in `ima_inode_get` may cause a > race, as this patch removes the write lock for inodes in > process_measurement(). > > For example, swapon() adds the S_SWAPFILE tag under inode write > lock's > protection. > > Perhaps this initialization tag(`S_IMA`) can also be moved into > inode's > security blob. It would not even be necessary, since after making IMA as a regular LSM the S_IMA check can be replaced by testing whether or not the pointer of inode integrity metadata in the security blob is NULL. Will remove S_IMA. Thanks Roberto
Powered by blists - more mailing lists