From: Mimi Zohar <zohar@linux.ibm.com>
To: Janne Karhunen <janne.karhunen@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH] integrity: make 'sync' update the inode integrity state
Date: Thu, 11 Apr 2019 09:03:04 -0400 [thread overview]
Message-ID: <1554987784.7843.40.camel@linux.ibm.com> (raw)
In-Reply-To: <20190410145659.26347-1-janne.karhunen@gmail.com>
Hi Janne,
I need to finish up a couple of other things before vacation. Below
are just a few comments/questions for you to think about.
On Wed, 2019-04-10 at 17:56 +0300, Janne Karhunen wrote:
> +/**
> + * ima_file_update - called from sync to update xattrs
> + * @file: pointer to file structure being updated
> + */
> +void ima_file_update(struct file *file)
> +{
> + struct inode *inode = file_inode(file);
> + struct integrity_iint_cache *iint;
> +
> + if (!ima_policy_flag || !S_ISREG(inode->i_mode))
> + return;
> +
> + iint = integrity_iint_find(inode);
> + if (!iint)
> + return;
> +
> + mutex_lock(&iint->mutex);
> + if (atomic_read(&inode->i_writecount) == 1) {
This test limits the number of opened writers. Only if there is a
single writer opened, will the xattr be updated. Is this what you
intended?
Your testing should open the same file for write multiple times.
> + clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
> + if (!IS_I_VERSION(inode) ||
> + !inode_eq_iversion(inode, iint->version)) {
> + iint->flags &= ~IMA_COLLECTED;
> + ima_update_xattr(iint, file);
Relatively recently there were some changes to iversion so that it
isn't being updated as frequently. Can we use i_version here?
> + }
> + }
> + mutex_unlock(&iint->mutex);
> +}
> +EXPORT_SYMBOL_GPL(ima_file_update);
> +
> /**
> * ima_path_check - based on policy, collect/store measurement.
> * @file: pointer to the file to be measured
> diff --git a/security/security.c b/security/security.c
> index 23cbb1a295a3..6a0980a1df22 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1451,6 +1451,11 @@ int security_file_open(struct file *file)
> return fsnotify_perm(file, MAY_OPEN);
> }
>
> +void security_file_sync(struct file *file)
> +{
> + ima_file_update(file);
> +}
> +
Either this is an LSM hook or it isn't. If it's an LSM hook it needs
to be similar to the existing hooks. If it's an IMA hook, like
ima_file_check() or ima_file_free(), then call it directly.
Normally the function name is related to the LSM hook name. For
example, I would name it ima_file_sync.
Mimi
> int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
> {
> int rc = lsm_task_alloc(task);
next prev parent reply other threads:[~2019-04-11 13:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-10 14:56 [PATCH] integrity: make 'sync' update the inode integrity state Janne Karhunen
2019-04-11 13:03 ` Mimi Zohar [this message]
2019-04-11 14:10 ` Janne Karhunen
[not found] ` <CAE=NcraxAJum=Uk77BoPXVkBDk3rwmXh80mLxy6pxrtUW_hpQg@mail.gmail.com>
[not found] ` <1556805843.4134.15.camel@linux.ibm.com>
[not found] ` <CAE=Ncrb4unTxeU=2jLb-KTqKXpK98vGFbrOxdcnjdfD_Ddk8ug@mail.gmail.com>
[not found] ` <1556884105.4754.18.camel@linux.ibm.com>
2019-05-06 13:17 ` Janne Karhunen
2019-05-07 12:42 ` Janne Karhunen
2019-04-12 12:40 ` Janne Karhunen
2019-04-25 10:05 ` Janne Karhunen
2019-04-25 12:14 ` Mimi Zohar
2019-04-25 12:46 ` Janne Karhunen
2019-05-03 11:48 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1554987784.7843.40.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=janne.karhunen@gmail.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.