From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Frederick Lawler <fred@cloudflare.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Mimi Zohar <zohar@linux.ibm.com>, Sasha Levin <sashal@kernel.org>,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 17/21] ima: process_measurement() needlessly takes inode_lock() on MAY_READ
Date: Tue, 29 Apr 2025 19:52:29 -0400 [thread overview]
Message-ID: <20250429235233.537828-17-sashal@kernel.org> (raw)
In-Reply-To: <20250429235233.537828-1-sashal@kernel.org>
From: Frederick Lawler <fred@cloudflare.com>
[ Upstream commit 30d68cb0c37ebe2dc63aa1d46a28b9163e61caa2 ]
On IMA policy update, if a measure rule exists in the policy,
IMA_MEASURE is set for ima_policy_flags which makes the violation_check
variable always true. Coupled with a no-action on MAY_READ for a
FILE_CHECK call, we're always taking the inode_lock().
This becomes a performance problem for extremely heavy read-only workloads.
Therefore, prevent this only in the case there's no action to be taken.
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Acked-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 98308a2bdef6e..068edb0d79f73 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -235,7 +235,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
&allowed_algos);
violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
func == MMAP_CHECK_REQPROT) &&
- (ima_policy_flag & IMA_MEASURE));
+ (ima_policy_flag & IMA_MEASURE) &&
+ ((action & IMA_MEASURE) ||
+ (file->f_mode & FMODE_WRITE)));
if (!action && !violation_check)
return 0;
--
2.39.5
next prev parent reply other threads:[~2025-04-29 23:53 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 23:52 [PATCH AUTOSEL 6.6 01/21] cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 02/21] nvmem: rockchip-otp: Move read-offset into variant-data Sasha Levin
2025-04-29 23:52 ` Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 03/21] nvmem: rockchip-otp: add rk3576 variant data Sasha Levin
2025-04-29 23:52 ` Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 04/21] nvmem: core: verify cell's raw_len Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 05/21] nvmem: core: update raw_len if the bit reading is required Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 06/21] nvmem: qfprom: switch to 4-byte aligned reads Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 07/21] scsi: target: iscsi: Fix timeout on deleted connection Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 08/21] scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 09/21] virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 10/21] intel_th: avoid using deprecated page->mapping, index fields Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 11/21] dma-mapping: avoid potential unused data compilation warning Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 12/21] cgroup: Fix compilation issue due to cgroup_mutex not being exported Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 13/21] vhost_task: fix vhost_task_create() documentation Sasha Levin
2025-04-30 9:10 ` Stefano Garzarella
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 14/21] vhost-scsi: protect vq->log_used with vq->mutex Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 15/21] scsi: mpi3mr: Add level check to control event logging Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 16/21] net: enetc: refactor bulk flipping of RX buffers to separate function Sasha Levin
2025-04-29 23:52 ` Sasha Levin [this message]
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 18/21] drm/amdgpu: Allow P2P access through XGMI Sasha Levin
2025-04-30 12:57 ` Alex Deucher
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 19/21] selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 20/21] bpf: fix possible endless loop in BPF map iteration Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 21/21] samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250429235233.537828-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=fred@cloudflare.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.