aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-10-25 14:42:19 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-10-26 14:37:19 -0400
commit196f518128d2ee6e0028b50e6fec0313640db142 (patch)
tree43a1d76bee477dbaa682233979e86f58a98369f0 /security/integrity
parent64c62f06bef8314a64d3189cb9c78062d54169b3 (diff)
IMA: explicit IMA i_flag to remove global lock on inode_delete
Currently for every removed inode IMA must take a global lock and search the IMA rbtree looking for an associated integrity structure. Instead we explicitly mark an inode when we add an integrity structure so we only have to take the global lock and do the removal if it exists. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_iint.c16
-rw-r--r--security/integrity/ima/ima_main.c1
2 files changed, 12 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
index 969a1c1cb333..c442e47b6785 100644
--- a/security/integrity/ima/ima_iint.c
+++ b/security/integrity/ima/ima_iint.c
@@ -59,6 +59,9 @@ struct ima_iint_cache *ima_iint_find(struct inode *inode)
59{ 59{
60 struct ima_iint_cache *iint; 60 struct ima_iint_cache *iint;
61 61
62 if (!IS_IMA(inode))
63 return NULL;
64
62 spin_lock(&ima_iint_lock); 65 spin_lock(&ima_iint_lock);
63 iint = __ima_iint_find(inode); 66 iint = __ima_iint_find(inode);
64 spin_unlock(&ima_iint_lock); 67 spin_unlock(&ima_iint_lock);
@@ -91,6 +94,7 @@ int ima_inode_alloc(struct inode *inode)
91 new_iint->inode = inode; 94 new_iint->inode = inode;
92 new_node = &new_iint->rb_node; 95 new_node = &new_iint->rb_node;
93 96
97 mutex_lock(&inode->i_mutex); /* i_flags */
94 spin_lock(&ima_iint_lock); 98 spin_lock(&ima_iint_lock);
95 99
96 p = &ima_iint_tree.rb_node; 100 p = &ima_iint_tree.rb_node;
@@ -107,14 +111,17 @@ int ima_inode_alloc(struct inode *inode)
107 goto out_err; 111 goto out_err;
108 } 112 }
109 113
114 inode->i_flags |= S_IMA;
110 rb_link_node(new_node, parent, p); 115 rb_link_node(new_node, parent, p);
111 rb_insert_color(new_node, &ima_iint_tree); 116 rb_insert_color(new_node, &ima_iint_tree);
112 117
113 spin_unlock(&ima_iint_lock); 118 spin_unlock(&ima_iint_lock);
119 mutex_unlock(&inode->i_mutex); /* i_flags */
114 120
115 return 0; 121 return 0;
116out_err: 122out_err:
117 spin_unlock(&ima_iint_lock); 123 spin_unlock(&ima_iint_lock);
124 mutex_unlock(&inode->i_mutex); /* i_flags */
118 iint_free(new_iint); 125 iint_free(new_iint);
119 126
120 return rc; 127 return rc;
@@ -135,15 +142,14 @@ void ima_inode_free(struct inode *inode)
135 142
136 inode->i_readcount = 0; 143 inode->i_readcount = 0;
137 144
145 if (!IS_IMA(inode))
146 return;
147
138 spin_lock(&ima_iint_lock); 148 spin_lock(&ima_iint_lock);
139 iint = __ima_iint_find(inode); 149 iint = __ima_iint_find(inode);
140 if (iint) 150 rb_erase(&iint->rb_node, &ima_iint_tree);
141 rb_erase(&iint->rb_node, &ima_iint_tree);
142 spin_unlock(&ima_iint_lock); 151 spin_unlock(&ima_iint_lock);
143 152
144 if (!iint)
145 return;
146
147 iint_free(iint); 153 iint_free(iint);
148} 154}
149 155
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 1dccafef7494..60dd61527b1e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -211,6 +211,7 @@ void ima_file_free(struct file *file)
211 211
212 if (!iint_initialized || !S_ISREG(inode->i_mode)) 212 if (!iint_initialized || !S_ISREG(inode->i_mode))
213 return; 213 return;
214
214 iint = ima_iint_find(inode); 215 iint = ima_iint_find(inode);
215 216
216 if (iint) 217 if (iint)