diff mbox series

[RFC,11/30] ima: Keep track of the measurment list per ima namespace

Message ID 20200818154230.14016-2-krzysztof.struczynski@huawei.com (mailing list archive)
State New, archived
Headers show
Series None | expand

Commit Message

Krzysztof Struczynski Aug. 18, 2020, 3:42 p.m. UTC 
From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>

Add a pointer to the tail of the measurement list to the ima namespace
when the namespace is created. This will allow to skip the irrelevant
measurement list entries while iterating the measurement list in that
ima namespace. Only entries with the matching ima namespace ID will be
displayed.

Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
---
 include/linux/ima.h               | 1 +
 security/integrity/ima/ima_init.c | 1 +
 security/integrity/ima/ima_ns.c   | 5 +++++
 3 files changed, 7 insertions(+)
diff mbox series

Patch

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 1d0439d86ade..df22143ffe30 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -202,6 +202,7 @@  struct ima_namespace {
 	bool frozen;
 	struct ima_policy_data *policy_data;
 	struct integrity_iint_tree *iint_tree;
+	struct list_head *measurements;
 } __randomize_layout;
 
 extern struct ima_namespace init_ima_ns;
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index d63ecb02b032..aece357286b8 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -35,6 +35,7 @@  struct ima_namespace init_ima_ns = {
 	.frozen = true,
 	.policy_data = &init_policy_data,
 	.iint_tree = &init_iint_tree,
+	.measurements = &ima_measurements,
 };
 EXPORT_SYMBOL(init_ima_ns);
 
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index 04aa50473971..f331187a4d3c 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -293,6 +293,11 @@  static int imans_activate(struct ima_namespace *ima_ns)
 
 	ima_ns->frozen = true;
 
+	/* Set current last element as list's head */
+	rcu_read_lock();
+	ima_ns->measurements = list_tail_rcu(&ima_measurements);
+	rcu_read_unlock();
+
 	down_write(&ima_ns_list_lock);
 	list_add_tail(&ima_ns->list, &ima_ns_list);
 	up_write(&ima_ns_list_lock);