aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_main.c
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-03-27 04:54:11 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-06-12 17:58:06 -0400
commitb882fae2d3a832fdcdc194c9f358390b1efca8e7 (patch)
tree2f9f2a00683176e02fee1acd59db3705a9228f35 /security/integrity/ima/ima_main.c
parent3e38df56e6ef736f3ab516664697b55caa8f3238 (diff)
ima: prevent unnecessary policy checking
ima_rdwr_violation_check is called for every file openning. The function checks the policy even when violation condition is not met. It causes unnecessary policy checking. This patch does policy checking only if violation condition is met. Changelog: - check writecount is greater than zero (Mimi) Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_main.c')
-rw-r--r--security/integrity/ima/ima_main.c13
1 files changed, 4 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dcc98cf542d8..7689c1e21f09 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
81{ 81{
82 struct inode *inode = file_inode(file); 82 struct inode *inode = file_inode(file);
83 fmode_t mode = file->f_mode; 83 fmode_t mode = file->f_mode;
84 int must_measure;
85 bool send_tomtou = false, send_writers = false; 84 bool send_tomtou = false, send_writers = false;
86 char *pathbuf = NULL; 85 char *pathbuf = NULL;
87 const char *pathname; 86 const char *pathname;
@@ -94,16 +93,12 @@ static void ima_rdwr_violation_check(struct file *file)
94 if (mode & FMODE_WRITE) { 93 if (mode & FMODE_WRITE) {
95 if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) 94 if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
96 send_tomtou = true; 95 send_tomtou = true;
97 goto out; 96 } else {
97 if ((atomic_read(&inode->i_writecount) > 0) &&
98 ima_must_measure(inode, MAY_READ, FILE_CHECK))
99 send_writers = true;
98 } 100 }
99 101
100 must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
101 if (!must_measure)
102 goto out;
103
104 if (atomic_read(&inode->i_writecount) > 0)
105 send_writers = true;
106out:
107 mutex_unlock(&inode->i_mutex); 102 mutex_unlock(&inode->i_mutex);
108 103
109 if (!send_tomtou && !send_writers) 104 if (!send_tomtou && !send_writers)