@@ -220,6 +220,17 @@ struct ima_h_table {
struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
};
+enum {
+ IMAFS_DENTRY_DIR = 0,
+ IMAFS_DENTRY_SYMLINK,
+ IMAFS_DENTRY_BINARY_RUNTIME_MEASUREMENTS,
+ IMAFS_DENTRY_ASCII_RUNTIME_MEASUREMENTS,
+ IMAFS_DENTRY_RUNTIME_MEASUREMENTS_COUNT,
+ IMAFS_DENTRY_VIOLATIONS,
+ IMAFS_DENTRY_IMA_POLICY,
+ IMAFS_DENTRY_LAST
+};
+
struct ima_namespace {
struct kref kref;
struct user_namespace *user_ns;
@@ -266,6 +277,8 @@ struct ima_namespace {
struct mutex ima_write_mutex;
unsigned long ima_fs_flags;
int valid_policy;
+
+ struct dentry *dentry[IMAFS_DENTRY_LAST];
};
extern struct ima_namespace init_ima_ns;
@@ -359,14 +359,6 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
return result;
}
-static struct dentry *ima_dir;
-static struct dentry *ima_symlink;
-static struct dentry *binary_runtime_measurements;
-static struct dentry *ascii_runtime_measurements;
-static struct dentry *runtime_measurements_count;
-static struct dentry *violations;
-static struct dentry *ima_policy;
-
enum ima_fs_flags {
IMA_FS_BUSY,
};
@@ -436,8 +428,8 @@ static int ima_release_policy(struct inode *inode, struct file *file)
ima_update_policy(ns);
#if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY)
- securityfs_remove(ima_policy);
- ima_policy = NULL;
+ securityfs_remove(ns->dentry[IMAFS_DENTRY_IMA_POLICY]);
+ ns->dentry[IMAFS_DENTRY_IMA_POLICY] = NULL;
#elif defined(CONFIG_IMA_WRITE_POLICY)
clear_bit(IMA_FS_BUSY, &ns->ima_fs_flags);
#elif defined(CONFIG_IMA_READ_POLICY)
@@ -454,58 +446,72 @@ static const struct file_operations ima_measure_policy_ops = {
.llseek = generic_file_llseek,
};
-int __init ima_fs_init(void)
+static void ima_fs_ns_free_dentries(struct ima_namespace *ns)
{
- ima_dir = securityfs_create_dir("ima", integrity_dir);
- if (IS_ERR(ima_dir))
+ int i;
+
+ for (i = IMAFS_DENTRY_LAST - 1; i >= 0; i--)
+ securityfs_remove(ns->dentry[i]);
+
+ memset(ns->dentry, 0, sizeof(ns->dentry));
+}
+
+static int __init ima_fs_ns_init(struct user_namespace *user_ns)
+{
+ struct ima_namespace *ns = user_ns->ima_ns;
+ struct dentry *ima_dir;
+
+ ns->dentry[IMAFS_DENTRY_DIR] = securityfs_create_dir("ima", integrity_dir);
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_DIR]))
return -1;
+ ima_dir = ns->dentry[IMAFS_DENTRY_DIR];
- ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima",
- NULL);
- if (IS_ERR(ima_symlink))
+ ns->dentry[IMAFS_DENTRY_SYMLINK] =
+ securityfs_create_symlink("ima", NULL, "integrity/ima", NULL);
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_SYMLINK]))
goto out;
- binary_runtime_measurements =
+ ns->dentry[IMAFS_DENTRY_BINARY_RUNTIME_MEASUREMENTS] =
securityfs_create_file("binary_runtime_measurements",
S_IRUSR | S_IRGRP, ima_dir, NULL,
&ima_measurements_ops);
- if (IS_ERR(binary_runtime_measurements))
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_BINARY_RUNTIME_MEASUREMENTS]))
goto out;
- ascii_runtime_measurements =
+ ns->dentry[IMAFS_DENTRY_ASCII_RUNTIME_MEASUREMENTS] =
securityfs_create_file("ascii_runtime_measurements",
S_IRUSR | S_IRGRP, ima_dir, NULL,
&ima_ascii_measurements_ops);
- if (IS_ERR(ascii_runtime_measurements))
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_ASCII_RUNTIME_MEASUREMENTS]))
goto out;
- runtime_measurements_count =
+ ns->dentry[IMAFS_DENTRY_RUNTIME_MEASUREMENTS_COUNT] =
securityfs_create_file("runtime_measurements_count",
S_IRUSR | S_IRGRP, ima_dir, NULL,
&ima_measurements_count_ops);
- if (IS_ERR(runtime_measurements_count))
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_RUNTIME_MEASUREMENTS_COUNT]))
goto out;
- violations =
+ ns->dentry[IMAFS_DENTRY_VIOLATIONS] =
securityfs_create_file("violations", S_IRUSR | S_IRGRP,
ima_dir, NULL, &ima_htable_violations_ops);
- if (IS_ERR(violations))
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_VIOLATIONS]))
goto out;
- ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS,
+ ns->dentry[IMAFS_DENTRY_IMA_POLICY] =
+ securityfs_create_file("policy", POLICY_FILE_FLAGS,
ima_dir, NULL,
&ima_measure_policy_ops);
- if (IS_ERR(ima_policy))
+ if (IS_ERR(ns->dentry[IMAFS_DENTRY_IMA_POLICY]))
goto out;
return 0;
out:
- securityfs_remove(violations);
- securityfs_remove(runtime_measurements_count);
- securityfs_remove(ascii_runtime_measurements);
- securityfs_remove(binary_runtime_measurements);
- securityfs_remove(ima_symlink);
- securityfs_remove(ima_dir);
- securityfs_remove(ima_policy);
+ ima_fs_ns_free_dentries(ns);
return -1;
}
+
+int __init ima_fs_init(void)
+{
+ return ima_fs_ns_init(&init_user_ns);
+}
Move the dentries into the ima_namespace for reuse by virtualized SecurityFS. Implement function freeing the dentries in order of files and symlinks before directories. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- include/linux/ima.h | 13 ++++++ security/integrity/ima/ima_fs.c | 72 ++++++++++++++++++--------------- 2 files changed, 52 insertions(+), 33 deletions(-)