Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f34a006 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

ima: check ima_policy_flag in the ima_file_free() hook 



This patch completes the switching to the 'ima_policy_flag' variable
in the checks at the beginning of IMA functions, starting with the
commit a756024e.

Checking 'iint_initialized' is completely unnecessary, because
S_IMA flag is unset if iint was not allocated. At the same time
the integrity cache is allocated with SLAB_PANIC and the kernel will
panic if the allocation fails during kernel initialization. So on
a running system iint_initialized is always true and can be removed.

Changes in v3:
* not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)

Changes in v2:
* 'iint_initialized' removal patch merged to this patch (requested
   by Mimi)

Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Acked-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
parent 594081ee

security/integrity/iint.c

+0 −3
Original line number Diff line number Diff line
@@ -25,8 +25,6 @@ static struct rb_root integrity_iint_tree = RB_ROOT; 
static DEFINE_RWLOCK(integrity_iint_lock);

static struct kmem_cache *iint_cache __read_mostly;



int iint_initialized;



/*

 * __integrity_iint_find - return the iint associated with an inode

 */
@@ -166,7 +164,6 @@ static int __init integrity_iintcache_init(void) 
	iint_cache =

	    kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),

			      0, SLAB_PANIC, init_once);

	iint_initialized = 1;

	return 0;

}

security_initcall(integrity_iintcache_init);

security/integrity/ima/ima_main.c

+1 −1
Original line number Diff line number Diff line
@@ -143,7 +143,7 @@ void ima_file_free(struct file *file) 
	struct inode *inode = file_inode(file);

	struct integrity_iint_cache *iint;



	if (!iint_initialized || !S_ISREG(inode->i_mode))

	if (!ima_policy_flag || !S_ISREG(inode->i_mode))

		return;



	iint = integrity_iint_find(inode);

security/integrity/integrity.h

+0 −3
Original line number Diff line number Diff line
@@ -169,6 +169,3 @@ static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, 
{

}

#endif
 


/* set during initialization */

extern int iint_initialized;