| Message ID | 20220201203735.164593-17-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Namespace IMA with audit support in IMA-ns | expand |
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote: > Implement ima_free_policy_rules() that is needed when an ima_namespace > is freed. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > --- > v10: > - Not calling ima_delete_rules() anymore > - Move access check from ima_delete_rules into very last patch > > v9: > - Only reset temp_ima_appraise when using init_ima_ns. > --- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_policy.c | 14 ++++++++++++++ > 2 files changed, 15 insertions(+) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index aea8fb8d2854..8c757223d549 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -329,6 +329,7 @@ void ima_update_policy_flags(struct ima_namespace *ns); > ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule); > void ima_delete_rules(struct ima_namespace *ns); > int ima_check_policy(struct ima_namespace *ns); > +void ima_free_policy_rules(struct ima_namespace *ns); > void *ima_policy_start(struct seq_file *m, loff_t *pos); > void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > void ima_policy_stop(struct seq_file *m, void *v); > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 2dcc5a8c585a..fe3dce8fb939 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -1889,6 +1889,20 @@ void ima_delete_rules(struct ima_namespace *ns) > } > } > > +/** > + * ima_free_policy_rules - free all policy rules > + * @ns: IMA namespace that has the policy > + */ > +void ima_free_policy_rules(struct ima_namespace *ns) > +{ > + struct ima_rule_entry *entry, *tmp; > + > + list_for_each_entry_safe(entry, tmp, &ns->ima_policy_rules, list) { > + list_del(&entry->list); > + ima_free_rule(entry); > + } > +} > + The first time a policy is loaded, the policy rules pivot from ima_default_rules to the custom rules. When this happens, the architecture specific policy rules are freed. Here too, if a custom policy isn't already loaded, the architecture specific rules stored as an array need to be freed. Refer to the comment in ima_update_policy(). > #define __ima_hook_stringify(func, str) (#func), > > const char *const func_tokens[] = {
On 2/18/22 12:09, Mimi Zohar wrote: > On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote: >> Implement ima_free_policy_rules() that is needed when an ima_namespace >> is freed. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> >> --- >> v10: >> - Not calling ima_delete_rules() anymore >> - Move access check from ima_delete_rules into very last patch >> >> v9: >> - Only reset temp_ima_appraise when using init_ima_ns. >> --- >> security/integrity/ima/ima.h | 1 + >> security/integrity/ima/ima_policy.c | 14 ++++++++++++++ >> 2 files changed, 15 insertions(+) >> >> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h >> index aea8fb8d2854..8c757223d549 100644 >> --- a/security/integrity/ima/ima.h >> +++ b/security/integrity/ima/ima.h >> @@ -329,6 +329,7 @@ void ima_update_policy_flags(struct ima_namespace *ns); >> ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule); >> void ima_delete_rules(struct ima_namespace *ns); >> int ima_check_policy(struct ima_namespace *ns); >> +void ima_free_policy_rules(struct ima_namespace *ns); >> void *ima_policy_start(struct seq_file *m, loff_t *pos); >> void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); >> void ima_policy_stop(struct seq_file *m, void *v); >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c >> index 2dcc5a8c585a..fe3dce8fb939 100644 >> --- a/security/integrity/ima/ima_policy.c >> +++ b/security/integrity/ima/ima_policy.c >> @@ -1889,6 +1889,20 @@ void ima_delete_rules(struct ima_namespace *ns) >> } >> } >> >> +/** >> + * ima_free_policy_rules - free all policy rules >> + * @ns: IMA namespace that has the policy >> + */ >> +void ima_free_policy_rules(struct ima_namespace *ns) >> +{ >> + struct ima_rule_entry *entry, *tmp; >> + >> + list_for_each_entry_safe(entry, tmp, &ns->ima_policy_rules, list) { >> + list_del(&entry->list); >> + ima_free_rule(entry); >> + } >> +} >> + > The first time a policy is loaded, the policy rules pivot > from ima_default_rules to the custom rules. When this happens, the > architecture specific policy rules are freed. Here too, if a custom > policy isn't already loaded, the architecture specific rules stored as > an array need to be freed. Refer to the comment in > ima_update_policy(). Right. So here's how it's done (before arch_policy_entry was moved into ima_namespace). /* * IMA architecture specific policy rules are specified * as strings and converted to an array of ima_entry_rules * on boot. After loading a custom policy, free the * architecture specific rules stored as an array. */ kfree(arch_policy_entry); So, I now added kfree(ns->arch_policy_entry). Thanks. Stefan > >> #define __ima_hook_stringify(func, str) (#func), >> >> const char *const func_tokens[] = {
On Fri, 2022-02-18 at 14:38 -0500, Stefan Berger wrote: > On 2/18/22 12:09, Mimi Zohar wrote: > > On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote: > >> Implement ima_free_policy_rules() that is needed when an ima_namespace > >> is freed. ima_free_policy_rules() isn't free all the rules, just the custom policy rules. I would update the patch description as: Implement ima_free_policy_rules() to free the custom policy rules, when ... Otherwise, Reviewd-by: Mimi Zohar <zohar@linux.ibm.com> > >> > >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > >> > >> --- > >> v10: > >> - Not calling ima_delete_rules() anymore > >> - Move access check from ima_delete_rules into very last patch > >> > >> v9: > >> - Only reset temp_ima_appraise when using init_ima_ns. > >> --- > >> security/integrity/ima/ima.h | 1 + > >> security/integrity/ima/ima_policy.c | 14 ++++++++++++++ > >> 2 files changed, 15 insertions(+) > >> > >> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > >> index aea8fb8d2854..8c757223d549 100644 > >> --- a/security/integrity/ima/ima.h > >> +++ b/security/integrity/ima/ima.h > >> @@ -329,6 +329,7 @@ void ima_update_policy_flags(struct ima_namespace *ns); > >> ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule); > >> void ima_delete_rules(struct ima_namespace *ns); > >> int ima_check_policy(struct ima_namespace *ns); > >> +void ima_free_policy_rules(struct ima_namespace *ns); > >> void *ima_policy_start(struct seq_file *m, loff_t *pos); > >> void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > >> void ima_policy_stop(struct seq_file *m, void *v); > >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > >> index 2dcc5a8c585a..fe3dce8fb939 100644 > >> --- a/security/integrity/ima/ima_policy.c > >> +++ b/security/integrity/ima/ima_policy.c > >> @@ -1889,6 +1889,20 @@ void ima_delete_rules(struct ima_namespace *ns) > >> } > >> } > >> > >> +/** > >> + * ima_free_policy_rules - free all policy rules > >> + * @ns: IMA namespace that has the policy > >> + */ > >> +void ima_free_policy_rules(struct ima_namespace *ns) > >> +{ > >> + struct ima_rule_entry *entry, *tmp; > >> + > >> + list_for_each_entry_safe(entry, tmp, &ns->ima_policy_rules, list) { > >> + list_del(&entry->list); > >> + ima_free_rule(entry); > >> + } > >> +} > >> + > > The first time a policy is loaded, the policy rules pivot > > from ima_default_rules to the custom rules. When this happens, the > > architecture specific policy rules are freed. Here too, if a custom > > policy isn't already loaded, the architecture specific rules stored as > > an array need to be freed. Refer to the comment in > > ima_update_policy(). > > Right. So here's how it's done (before arch_policy_entry was moved into > ima_namespace). > > /* > * IMA architecture specific policy rules are specified > * as strings and converted to an array of ima_entry_rules > * on boot. After loading a custom policy, free the > * architecture specific rules stored as an array. > */ > kfree(arch_policy_entry); > > > So, I now added kfree(ns->arch_policy_entry). Yes, that is fine.
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index aea8fb8d2854..8c757223d549 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -329,6 +329,7 @@ void ima_update_policy_flags(struct ima_namespace *ns); ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule); void ima_delete_rules(struct ima_namespace *ns); int ima_check_policy(struct ima_namespace *ns); +void ima_free_policy_rules(struct ima_namespace *ns); void *ima_policy_start(struct seq_file *m, loff_t *pos); void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); void ima_policy_stop(struct seq_file *m, void *v); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 2dcc5a8c585a..fe3dce8fb939 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1889,6 +1889,20 @@ void ima_delete_rules(struct ima_namespace *ns) } } +/** + * ima_free_policy_rules - free all policy rules + * @ns: IMA namespace that has the policy + */ +void ima_free_policy_rules(struct ima_namespace *ns) +{ + struct ima_rule_entry *entry, *tmp; + + list_for_each_entry_safe(entry, tmp, &ns->ima_policy_rules, list) { + list_del(&entry->list); + ima_free_rule(entry); + } +} + #define __ima_hook_stringify(func, str) (#func), const char *const func_tokens[] = {
Implement ima_free_policy_rules() that is needed when an ima_namespace is freed. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- v10: - Not calling ima_delete_rules() anymore - Move access check from ima_delete_rules into very last patch v9: - Only reset temp_ima_appraise when using init_ima_ns. --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_policy.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+)