From: guilherme.magalhaes@hpe.com (Guilherme Magalhaes)
To: linux-security-module@vger.kernel.org
Subject: [RFC 06/11] ima, fs: release namespace policy resources
Date: Thu, 11 May 2017 10:59:58 -0300 [thread overview]
Message-ID: <1494511203-8397-7-git-send-email-guilherme.magalhaes@hpe.com> (raw)
In-Reply-To: <1494511203-8397-1-git-send-email-guilherme.magalhaes@hpe.com>
Release all namespace IMA policy resources when the mount namespace is
released.
This is the suggested mechanism to release namespace policy resources,
but we still can discuss other methods to avoid cross-component changes.
Signed-off-by: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
---
fs/namespace.c | 4 ++++
include/linux/integrity.h | 9 +++++++++
security/integrity/ima/ima_fs.c | 26 ++++++++++++++++++++++++++
3 files changed, 39 insertions(+)
diff --git a/fs/namespace.c b/fs/namespace.c
index cc1375ef..80940998 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -15,6 +15,7 @@
#include <linux/user_namespace.h>
#include <linux/namei.h>
#include <linux/security.h>
+#include <linux/integrity.h>
#include <linux/cred.h>
#include <linux/idr.h>
#include <linux/init.h> /* init_rootfs */
@@ -3283,6 +3284,9 @@ void put_mnt_ns(struct mnt_namespace *ns)
{
if (!atomic_dec_and_test(&ns->count))
return;
+
+ ima_mnt_namespace_dying(ns->ns.inum);
+
drop_collected_mounts(&ns->root->mnt);
free_mnt_ns(ns);
}
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index c2d6082..034d082 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -43,4 +43,13 @@ static inline void integrity_load_keys(void)
}
#endif /* CONFIG_INTEGRITY */
+#ifdef CONFIG_IMA_PER_NAMESPACE
+extern void ima_mnt_namespace_dying(unsigned int ns_id);
+#else
+static inline void ima_mnt_namespace_dying(unsigned int ns_id)
+{
+ return;
+}
+#endif /* CONFIG_IMA_PER_NAMESPACE */
+
#endif /* _LINUX_INTEGRITY_H */
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index ce6dcdf..56ba0ff 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -423,6 +423,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
"policy_update", "signed policy required",
1, 0);
+
if (ima_appraise & IMA_APPRAISE_ENFORCE)
result = -EACCES;
} else {
@@ -579,6 +580,31 @@ static int create_mnt_ns_directory(unsigned int ns_id)
return result;
}
+/*
+ * ima_mnt_namespace_dying - releases all namespace policy resources
+ * It is called automatically when the namespace is released.
+ * @ns_id namespace id to be released
+ *
+ * Note: This function is called by put_mnt_ns() in the context
+ * of a namespace release. We need to make sure that a lock on
+ * this path is allowed.
+ */
+void ima_mnt_namespace_dying(unsigned int ns_id)
+{
+ struct ima_ns_policy *p;
+
+ spin_lock(&ima_ns_policy_lock);
+ p = radix_tree_delete(&ima_ns_policy_mapping, ns_id);
+
+ if (!p) {
+ spin_unlock(&ima_ns_policy_lock);
+ return;
+ }
+
+ free_namespace_policy(p);
+ spin_unlock(&ima_ns_policy_lock);
+}
+
static ssize_t handle_new_namespace_policy(const char *data, size_t datalen)
{
unsigned int ns_id;
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-11 13:59 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 13:59 [RFC 00/11] ima: namespace support for IMA policy Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 01/11] ima: qualify pathname in audit info record Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 02/11] ima: qualify pathname in audit measurement record Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 03/11] ima: qualify pathname in measurement file Guilherme Magalhaes
2017-05-11 13:59 ` [RFC 04/11] ima: add support to namespace securityfs file Guilherme Magalhaes
2017-05-18 21:39 ` Tycho Andersen
2017-05-24 20:12 ` Mimi Zohar
2017-05-25 7:36 ` John Johansen
2017-05-25 11:46 ` Mimi Zohar
2017-05-25 19:04 ` Magalhaes, Guilherme (Brazil R&D-CL)
2017-05-29 17:32 ` Mimi Zohar
2017-05-31 9:49 ` Dr. Greg Wettstein
2017-05-11 13:59 ` [RFC 05/11] ima: store new namespace policy structure in a radix tree Guilherme Magalhaes
2017-05-11 13:59 ` Guilherme Magalhaes [this message]
2017-05-11 13:59 ` [RFC 07/11] ima: new namespace policy structure to track initial namespace policy data Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 08/11] ima: block initial namespace id on the namespace policy interface Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 09/11] ima: delete namespace policy securityfs file in write-once mode Guilherme Magalhaes
2017-05-11 14:00 ` [RFC 10/11] ima: handling all policy flags per namespace using ima_ns_policy structure Guilherme Magalhaes
2017-05-11 14:53 ` [RFC 00/11] ima: namespace support for IMA policy Magalhaes, Guilherme (Brazil R&D-CL)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1494511203-8397-7-git-send-email-guilherme.magalhaes@hpe.com \
--to=guilherme.magalhaes@hpe.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).