diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-09-24 04:05:10 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-10-07 14:32:52 -0400 |
commit | 0f34a0060aebf202010b3f8fef348653a2df2346 (patch) | |
tree | 5cb7a5aabb05827889989c779ac8a2242cd4a0df /security/integrity | |
parent | 594081ee7145cc30a3977cb4e218f81213b63dc5 (diff) |
ima: check ima_policy_flag in the ima_file_free() hook
This patch completes the switching to the 'ima_policy_flag' variable
in the checks at the beginning of IMA functions, starting with the
commit a756024e.
Checking 'iint_initialized' is completely unnecessary, because
S_IMA flag is unset if iint was not allocated. At the same time
the integrity cache is allocated with SLAB_PANIC and the kernel will
panic if the allocation fails during kernel initialization. So on
a running system iint_initialized is always true and can be removed.
Changes in v3:
* not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)
Changes in v2:
* 'iint_initialized' removal patch merged to this patch (requested
by Mimi)
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Acked-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/iint.c | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 2 | ||||
-rw-r--r-- | security/integrity/integrity.h | 3 |
3 files changed, 1 insertions, 7 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c index a521edf4cbd6..cc3eb4de18a1 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c | |||
@@ -25,8 +25,6 @@ static struct rb_root integrity_iint_tree = RB_ROOT; | |||
25 | static DEFINE_RWLOCK(integrity_iint_lock); | 25 | static DEFINE_RWLOCK(integrity_iint_lock); |
26 | static struct kmem_cache *iint_cache __read_mostly; | 26 | static struct kmem_cache *iint_cache __read_mostly; |
27 | 27 | ||
28 | int iint_initialized; | ||
29 | |||
30 | /* | 28 | /* |
31 | * __integrity_iint_find - return the iint associated with an inode | 29 | * __integrity_iint_find - return the iint associated with an inode |
32 | */ | 30 | */ |
@@ -166,7 +164,6 @@ static int __init integrity_iintcache_init(void) | |||
166 | iint_cache = | 164 | iint_cache = |
167 | kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), | 165 | kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), |
168 | 0, SLAB_PANIC, init_once); | 166 | 0, SLAB_PANIC, init_once); |
169 | iint_initialized = 1; | ||
170 | return 0; | 167 | return 0; |
171 | } | 168 | } |
172 | security_initcall(integrity_iintcache_init); | 169 | security_initcall(integrity_iintcache_init); |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 62f59eca32d3..72faf0b5b05c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -143,7 +143,7 @@ void ima_file_free(struct file *file) | |||
143 | struct inode *inode = file_inode(file); | 143 | struct inode *inode = file_inode(file); |
144 | struct integrity_iint_cache *iint; | 144 | struct integrity_iint_cache *iint; |
145 | 145 | ||
146 | if (!iint_initialized || !S_ISREG(inode->i_mode)) | 146 | if (!ima_policy_flag || !S_ISREG(inode->i_mode)) |
147 | return; | 147 | return; |
148 | 148 | ||
149 | iint = integrity_iint_find(inode); | 149 | iint = integrity_iint_find(inode); |
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index c0379d13dbe1..883a5fc75449 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h | |||
@@ -169,6 +169,3 @@ static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, | |||
169 | { | 169 | { |
170 | } | 170 | } |
171 | #endif | 171 | #endif |
172 | |||
173 | /* set during initialization */ | ||
174 | extern int iint_initialized; | ||