diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-02-22 10:19:43 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-02-23 16:38:52 -0500 |
commit | 1adace9bb04a5f4a4dea9e642089102661bb0ceb (patch) | |
tree | 2396099935c50d838899a01da1438b8a441619de | |
parent | 854fdd55bfdd56cfc61bd30f2062a9268fcebba6 (diff) |
ima: remove unnecessary call to ima_must_measure
The original ima_must_measure() function based its results on cached
iint information, which required an iint be allocated for all files.
Currently, an iint is allocated only for files in policy. As a result,
for those files in policy, ima_must_measure() is now called twice: once
to determine if the inode is in the measurement policy and, the second
time, to determine if it needs to be measured/re-measured.
The second call to ima_must_measure() unnecessarily checks to see if
the file is in policy. As we already know the file is in policy, this
patch removes the second unnecessary call to ima_must_measure(), removes
the vestige iint parameter, and just checks the iint directly to determine
if the inode has been measured or needs to be measured/re-measured.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | security/integrity/ima/ima.h | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 13 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 6 |
3 files changed, 7 insertions, 15 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index ac79032bdf23..08408bd71462 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h | |||
@@ -110,8 +110,7 @@ struct ima_iint_cache { | |||
110 | }; | 110 | }; |
111 | 111 | ||
112 | /* LIM API function definitions */ | 112 | /* LIM API function definitions */ |
113 | int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, | 113 | int ima_must_measure(struct inode *inode, int mask, int function); |
114 | int mask, int function); | ||
115 | int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); | 114 | int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); |
116 | void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, | 115 | void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, |
117 | const unsigned char *filename); | 116 | const unsigned char *filename); |
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d3963de6003d..da36d2c085a4 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -105,20 +105,13 @@ err_out: | |||
105 | * mask: contains the permission mask | 105 | * mask: contains the permission mask |
106 | * fsmagic: hex value | 106 | * fsmagic: hex value |
107 | * | 107 | * |
108 | * Must be called with iint->mutex held. | 108 | * Return 0 to measure. For matching a DONT_MEASURE policy, no policy, |
109 | * | 109 | * or other error, return an error code. |
110 | * Return 0 to measure. Return 1 if already measured. | ||
111 | * For matching a DONT_MEASURE policy, no policy, or other | ||
112 | * error, return an error code. | ||
113 | */ | 110 | */ |
114 | int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, | 111 | int ima_must_measure(struct inode *inode, int mask, int function) |
115 | int mask, int function) | ||
116 | { | 112 | { |
117 | int must_measure; | 113 | int must_measure; |
118 | 114 | ||
119 | if (iint && iint->flags & IMA_MEASURED) | ||
120 | return 1; | ||
121 | |||
122 | must_measure = ima_match_policy(inode, function, mask); | 115 | must_measure = ima_match_policy(inode, function, mask); |
123 | return must_measure ? 0 : -EACCES; | 116 | return must_measure ? 0 : -EACCES; |
124 | } | 117 | } |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2df902151193..39d66dc2b8e9 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -65,7 +65,7 @@ static void ima_rdwr_violation_check(struct file *file) | |||
65 | goto out; | 65 | goto out; |
66 | } | 66 | } |
67 | 67 | ||
68 | rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); | 68 | rc = ima_must_measure(inode, MAY_READ, FILE_CHECK); |
69 | if (rc < 0) | 69 | if (rc < 0) |
70 | goto out; | 70 | goto out; |
71 | 71 | ||
@@ -127,7 +127,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, | |||
127 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | 127 | if (!ima_initialized || !S_ISREG(inode->i_mode)) |
128 | return 0; | 128 | return 0; |
129 | 129 | ||
130 | rc = ima_must_measure(NULL, inode, mask, function); | 130 | rc = ima_must_measure(inode, mask, function); |
131 | if (rc != 0) | 131 | if (rc != 0) |
132 | return rc; | 132 | return rc; |
133 | retry: | 133 | retry: |
@@ -141,7 +141,7 @@ retry: | |||
141 | 141 | ||
142 | mutex_lock(&iint->mutex); | 142 | mutex_lock(&iint->mutex); |
143 | 143 | ||
144 | rc = ima_must_measure(iint, inode, mask, function); | 144 | rc = iint->flags & IMA_MEASURED ? 1 : 0; |
145 | if (rc != 0) | 145 | if (rc != 0) |
146 | goto out; | 146 | goto out; |
147 | 147 | ||