aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-09-24 04:05:10 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-10-07 14:32:52 -0400
commit0f34a0060aebf202010b3f8fef348653a2df2346 (patch)
tree5cb7a5aabb05827889989c779ac8a2242cd4a0df /security/integrity
parent594081ee7145cc30a3977cb4e218f81213b63dc5 (diff)
ima: check ima_policy_flag in the ima_file_free() hook
This patch completes the switching to the 'ima_policy_flag' variable in the checks at the beginning of IMA functions, starting with the commit a756024e. Checking 'iint_initialized' is completely unnecessary, because S_IMA flag is unset if iint was not allocated. At the same time the integrity cache is allocated with SLAB_PANIC and the kernel will panic if the allocation fails during kernel initialization. So on a running system iint_initialized is always true and can be removed. Changes in v3: * not limiting test to IMA_APPRAISE (spotted by Roberto Sassu) Changes in v2: * 'iint_initialized' removal patch merged to this patch (requested by Mimi) Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Acked-by: Roberto Sassu <roberto.sassu@polito.it>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/iint.c3
-rw-r--r--security/integrity/ima/ima_main.c2
-rw-r--r--security/integrity/integrity.h3
3 files changed, 1 insertions, 7 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index a521edf4cbd6..cc3eb4de18a1 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -25,8 +25,6 @@ static struct rb_root integrity_iint_tree = RB_ROOT;
25static DEFINE_RWLOCK(integrity_iint_lock); 25static DEFINE_RWLOCK(integrity_iint_lock);
26static struct kmem_cache *iint_cache __read_mostly; 26static struct kmem_cache *iint_cache __read_mostly;
27 27
28int iint_initialized;
29
30/* 28/*
31 * __integrity_iint_find - return the iint associated with an inode 29 * __integrity_iint_find - return the iint associated with an inode
32 */ 30 */
@@ -166,7 +164,6 @@ static int __init integrity_iintcache_init(void)
166 iint_cache = 164 iint_cache =
167 kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 165 kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
168 0, SLAB_PANIC, init_once); 166 0, SLAB_PANIC, init_once);
169 iint_initialized = 1;
170 return 0; 167 return 0;
171} 168}
172security_initcall(integrity_iintcache_init); 169security_initcall(integrity_iintcache_init);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 62f59eca32d3..72faf0b5b05c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -143,7 +143,7 @@ void ima_file_free(struct file *file)
143 struct inode *inode = file_inode(file); 143 struct inode *inode = file_inode(file);
144 struct integrity_iint_cache *iint; 144 struct integrity_iint_cache *iint;
145 145
146 if (!iint_initialized || !S_ISREG(inode->i_mode)) 146 if (!ima_policy_flag || !S_ISREG(inode->i_mode))
147 return; 147 return;
148 148
149 iint = integrity_iint_find(inode); 149 iint = integrity_iint_find(inode);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index c0379d13dbe1..883a5fc75449 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -169,6 +169,3 @@ static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
169{ 169{
170} 170}
171#endif 171#endif
172
173/* set during initialization */
174extern int iint_initialized;