From patchwork Thu May 11 13:59:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guilherme Magalhaes X-Patchwork-Id: 9722561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 15EF2601E7 for ; Thu, 11 May 2017 16:32:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C045286C0 for ; Thu, 11 May 2017 16:32:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F2B9F286C1; Thu, 11 May 2017 16:32:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 664F3286BD for ; Thu, 11 May 2017 16:32:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933126AbdEKOBK (ORCPT ); Thu, 11 May 2017 10:01:10 -0400 Received: from g2t1383g.austin.hpe.com ([15.233.16.89]:34277 "EHLO g2t1383g.austin.hpe.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933120AbdEKOBF (ORCPT ); Thu, 11 May 2017 10:01:05 -0400 Received: from g4t3426.houston.hpe.com (g4t3426.houston.hpe.com [15.241.140.75]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by g2t1383g.austin.hpe.com (Postfix) with ESMTPS id F0B81134D; Thu, 11 May 2017 14:01:04 +0000 (UTC) Received: from g9t2301.houston.hpecorp.net (g9t2301.houston.hpecorp.net [16.220.97.129]) by g4t3426.houston.hpe.com (Postfix) with ESMTP id D5F6675; Thu, 11 May 2017 14:01:03 +0000 (UTC) Received: from ubuntu.localdomain (magalhag6.americas.hpqcorp.net [10.250.5.44]) by g9t2301.houston.hpecorp.net (Postfix) with ESMTP id 67C2A4E; Thu, 11 May 2017 14:01:00 +0000 (UTC) From: Guilherme Magalhaes To: dmitry.kasatkin@gmail.com, zohar@linux.vnet.ibm.com Cc: viro@zeniv.linux.org.uk, james.l.morris@oracle.com, serge@hallyn.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-ima-user@lists.sourceforge.net, linux-security-module@vger.kernel.org, tycho@docker.com, joaquims@hpe.com, nigel.edwards@hpe.com, Guilherme Magalhaes Subject: [RFC 06/11] ima, fs: release namespace policy resources Date: Thu, 11 May 2017 10:59:58 -0300 Message-Id: <1494511203-8397-7-git-send-email-guilherme.magalhaes@hpe.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494511203-8397-1-git-send-email-guilherme.magalhaes@hpe.com> References: <1494511203-8397-1-git-send-email-guilherme.magalhaes@hpe.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Release all namespace IMA policy resources when the mount namespace is released. This is the suggested mechanism to release namespace policy resources, but we still can discuss other methods to avoid cross-component changes. Signed-off-by: Guilherme Magalhaes --- fs/namespace.c | 4 ++++ include/linux/integrity.h | 9 +++++++++ security/integrity/ima/ima_fs.c | 26 ++++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index cc1375ef..80940998 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include /* init_rootfs */ @@ -3283,6 +3284,9 @@ void put_mnt_ns(struct mnt_namespace *ns) { if (!atomic_dec_and_test(&ns->count)) return; + + ima_mnt_namespace_dying(ns->ns.inum); + drop_collected_mounts(&ns->root->mnt); free_mnt_ns(ns); } diff --git a/include/linux/integrity.h b/include/linux/integrity.h index c2d6082..034d082 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -43,4 +43,13 @@ static inline void integrity_load_keys(void) } #endif /* CONFIG_INTEGRITY */ +#ifdef CONFIG_IMA_PER_NAMESPACE +extern void ima_mnt_namespace_dying(unsigned int ns_id); +#else +static inline void ima_mnt_namespace_dying(unsigned int ns_id) +{ + return; +} +#endif /* CONFIG_IMA_PER_NAMESPACE */ + #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index ce6dcdf..56ba0ff 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -423,6 +423,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, "policy_update", "signed policy required", 1, 0); + if (ima_appraise & IMA_APPRAISE_ENFORCE) result = -EACCES; } else { @@ -579,6 +580,31 @@ static int create_mnt_ns_directory(unsigned int ns_id) return result; } +/* + * ima_mnt_namespace_dying - releases all namespace policy resources + * It is called automatically when the namespace is released. + * @ns_id namespace id to be released + * + * Note: This function is called by put_mnt_ns() in the context + * of a namespace release. We need to make sure that a lock on + * this path is allowed. + */ +void ima_mnt_namespace_dying(unsigned int ns_id) +{ + struct ima_ns_policy *p; + + spin_lock(&ima_ns_policy_lock); + p = radix_tree_delete(&ima_ns_policy_mapping, ns_id); + + if (!p) { + spin_unlock(&ima_ns_policy_lock); + return; + } + + free_namespace_policy(p); + spin_unlock(&ima_ns_policy_lock); +} + static ssize_t handle_new_namespace_policy(const char *data, size_t datalen) { unsigned int ns_id;