1. 02 11月, 2011 1 次提交
  2. 27 7月, 2011 1 次提交
  3. 24 2月, 2011 1 次提交
    • M
      ima: remove unnecessary call to ima_must_measure · 1adace9b
      Mimi Zohar 提交于
      The original ima_must_measure() function based its results on cached
      iint information, which required an iint be allocated for all files.
      Currently, an iint is allocated only for files in policy.  As a result,
      for those files in policy, ima_must_measure() is now called twice: once
      to determine if the inode is in the measurement policy and, the second
      time, to determine if it needs to be measured/re-measured.
      
      The second call to ima_must_measure() unnecessarily checks to see if
      the file is in policy. As we already know the file is in policy, this
      patch removes the second unnecessary call to ima_must_measure(), removes
      the vestige iint parameter, and just checks the iint directly to determine
      if the inode has been measured or needs to be measured/re-measured.
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      1adace9b
  4. 10 2月, 2011 3 次提交
  5. 04 1月, 2011 1 次提交
    • M
      ima: fix add LSM rule bug · 867c2026
      Mimi Zohar 提交于
      If security_filter_rule_init() doesn't return a rule, then not everything
      is as fine as the return code implies.
      
      This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
      
      Adding an empty LSM rule causes ima_match_rules() to always succeed,
      ignoring any remaining rules.
      
       default IMA TCB policy:
        # PROC_SUPER_MAGIC
        dont_measure fsmagic=0x9fa0
        # SYSFS_MAGIC
        dont_measure fsmagic=0x62656572
        # DEBUGFS_MAGIC
        dont_measure fsmagic=0x64626720
        # TMPFS_MAGIC
        dont_measure fsmagic=0x01021994
        # SECURITYFS_MAGIC
        dont_measure fsmagic=0x73636673
      
        < LSM specific rule >
        dont_measure obj_type=var_log_t
      
        measure func=BPRM_CHECK
        measure func=FILE_MMAP mask=MAY_EXEC
        measure func=FILE_CHECK mask=MAY_READ uid=0
      
      Thus without the patch, with the boot parameters 'tcb selinux=0', adding
      the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
      measurement policy, would result in nothing being measured.  The patch
      prevents the default TCB policy from being replaced.
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Cc: James Morris <jmorris@namei.org>
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Cc: David Safford <safford@watson.ibm.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      867c2026
  6. 27 10月, 2010 11 次提交
    • E
      IMA: fix the ToMToU logic · bade72d6
      Eric Paris 提交于
      Current logic looks like this:
      
              rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
              if (rc < 0)
                      goto out;
      
              if (mode & FMODE_WRITE) {
                      if (inode->i_readcount)
                              send_tomtou = true;
                      goto out;
              }
      
              if (atomic_read(&inode->i_writecount) > 0)
                      send_writers = true;
      
      Lets assume we have a policy which states that all files opened for read
      by root must be measured.
      
      Lets assume the file has permissions 777.
      
      Lets assume that root has the given file open for read.
      
      Lets assume that a non-root process opens the file write.
      
      The non-root process will get to ima_counts_get() and will check the
      ima_must_measure().  Since it is not supposed to measure it will goto
      out.
      
      We should check the i_readcount no matter what since we might be causing
      a ToMToU voilation!
      
      This is close to correct, but still not quite perfect.  The situation
      could have been that root, which was interested in the mesurement opened
      and closed the file and another process which is not interested in the
      measurement is the one holding the i_readcount ATM.  This is just overly
      strict on ToMToU violations, which is better than not strict enough...
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      bade72d6
    • E
      IMA: explicit IMA i_flag to remove global lock on inode_delete · 196f5181
      Eric Paris 提交于
      Currently for every removed inode IMA must take a global lock and search
      the IMA rbtree looking for an associated integrity structure.  Instead
      we explicitly mark an inode when we add an integrity structure so we
      only have to take the global lock and do the removal if it exists.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      196f5181
    • E
      IMA: drop refcnt from ima_iint_cache since it isn't needed · 64c62f06
      Eric Paris 提交于
      Since finding a struct ima_iint_cache requires a valid struct inode, and
      the struct ima_iint_cache is supposed to have the same lifetime as a
      struct inode (technically they die together but don't need to be created
      at the same time) we don't have to worry about the ima_iint_cache
      outliving or dieing before the inode.  So the refcnt isn't useful.  Just
      get rid of it and free the structure when the inode is freed.
      Signed-off-by: NEric Paris <eapris@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      64c62f06
    • E
      IMA: only allocate iint when needed · bc7d2a3e
      Eric Paris 提交于
      IMA always allocates an integrity structure to hold information about
      every inode, but only needed this structure to track the number of
      readers and writers currently accessing a given inode.  Since that
      information was moved into struct inode instead of the integrity struct
      this patch stops allocating the integrity stucture until it is needed.
      Thus greatly reducing memory usage.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      bc7d2a3e
    • E
      IMA: move read counter into struct inode · a178d202
      Eric Paris 提交于
      IMA currently allocated an inode integrity structure for every inode in
      core.  This stucture is about 120 bytes long.  Most files however
      (especially on a system which doesn't make use of IMA) will never need
      any of this space.  The problem is that if IMA is enabled we need to
      know information about the number of readers and the number of writers
      for every inode on the box.  At the moment we collect that information
      in the per inode iint structure and waste the rest of the space.  This
      patch moves those counters into the struct inode so we can eventually
      stop allocating an IMA integrity structure except when absolutely
      needed.
      
      This patch does the minimum needed to move the location of the data.
      Further cleanups, especially the location of counter updates, may still
      be possible.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a178d202
    • E
      IMA: use i_writecount rather than a private counter · b9593d30
      Eric Paris 提交于
      IMA tracks the number of struct files which are holding a given inode
      readonly and the number which are holding the inode write or r/w.  It
      needs this information so when a new reader or writer comes in it can
      tell if this new file will be able to invalidate results it already made
      about existing files.
      
      aka if a task is holding a struct file open RO, IMA measured the file
      and recorded those measurements and then a task opens the file RW IMA
      needs to note in the logs that the old measurement may not be correct.
      It's called a "Time of Measure Time of Use" (ToMToU) issue.  The same is
      true is a RO file is opened to an inode which has an open writer.  We
      cannot, with any validity, measure the file in question since it could
      be changing.
      
      This patch attempts to use the i_writecount field to track writers.  The
      i_writecount field actually embeds more information in it's value than
      IMA needs but it should work for our purposes and allow us to shrink the
      struct inode even more.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b9593d30
    • E
      IMA: use inode->i_lock to protect read and write counters · ad16ad00
      Eric Paris 提交于
      Currently IMA used the iint->mutex to protect the i_readcount and
      i_writecount.  This patch uses the inode->i_lock since we are going to
      start using in inode objects and that is the most appropriate lock.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ad16ad00
    • E
      IMA: convert internal flags from long to char · 15aac676
      Eric Paris 提交于
      The IMA flags is an unsigned long but there is only 1 flag defined.
      Lets save a little space and make it a char.  This packs nicely next to
      the array of u8's.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      15aac676
    • E
      IMA: use unsigned int instead of long for counters · 497f3233
      Eric Paris 提交于
      Currently IMA uses 2 longs in struct inode.  To save space (and as it
      seems impossible to overflow 32 bits) we switch these to unsigned int.
      The switch to unsigned does require slightly different checks for
      underflow, but it isn't complex.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      497f3233
    • E
      IMA: drop the inode opencount since it isn't needed for operation · b575156d
      Eric Paris 提交于
      The opencount was used to help debugging to make sure that everything
      which created a struct file also correctly made the IMA calls.  Since we
      moved all of that into the VFS this isn't as necessary.  We should be
      able to get the same amount of debugging out of just the reader and
      write count.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b575156d
    • E
      IMA: use rbtree instead of radix tree for inode information cache · 85491641
      Eric Paris 提交于
      The IMA code needs to store the number of tasks which have an open fd
      granting permission to write a file even when IMA is not in use.  It
      needs this information in order to be enabled at a later point in time
      without losing it's integrity garantees.
      
      At the moment that means we store a little bit of data about every inode
      in a cache.  We use a radix tree key'd on the inode's memory address.
      Dave Chinner pointed out that a radix tree is a terrible data structure
      for such a sparse key space.  This patch switches to using an rbtree
      which should be more efficient.
      
      Bug report from Dave:
      
       "I just noticed that slabtop was reporting an awfully high usage of
        radix tree nodes:
      
         OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME
        4200331 2778082  66%    0.55K 144839       29   2317424K radix_tree_node
        2321500 2060290  88%    1.00K  72581       32   2322592K xfs_inode
        2235648 2069791  92%    0.12K  69864       32    279456K iint_cache
      
        That is, 2.7M radix tree nodes are allocated, and the cache itself is
        consuming 2.3GB of RAM.  I know that the XFS inodei caches are indexed
        by radix tree node, but for 2 million cached inodes that would mean a
        density of 1 inode per radix tree node, which for a system with 16M
        inodes in the filsystems is an impossibly low density.  The worst I've
        seen in a production system like kernel.org is about 20-25% density,
        which would mean about 150-200k radix tree nodes for that many inodes.
        So it's not the inode cache.
      
        So I looked up what the iint_cache was.  It appears to used for
        storing per-inode IMA information, and uses a radix tree for indexing.
        It uses the *address* of the struct inode as the indexing key.  That
        means the key space is extremely sparse - for XFS the struct inode
        addresses are approximately 1000 bytes apart, which means the closest
        the radix tree index keys get is ~1000.  Which means that there is a
        single entry per radix tree leaf node, so the radix tree is using
        roughly 550 bytes for every 120byte structure being cached.  For the
        above example, it's probably wasting close to 1GB of RAM...."
      Reported-by: NDave Chinner <david@fromorbit.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      85491641
  7. 08 9月, 2010 1 次提交
    • M
      ima: always maintain counters · e950598d
      Mimi Zohar 提交于
      commit 8262bb85da allocated the inode integrity struct (iint) before any
      inodes were created. Only after IMA was initialized in late_initcall were
      the counters updated. This patch updates the counters, whether or not IMA
      has been initialized, to resolve 'imbalance' messages.
      
      This patch fixes the bug as reported in bugzilla: 15673.  When the i915
      is builtin, the ring_buffer is initialized before IMA, causing the
      imbalance message on suspend.
      Reported-by: NThomas Meyer <thomas@m3y3r.de>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Tested-by: NThomas Meyer <thomas@m3y3r.de>
      Tested-by: David Safford<safford@watson.ibm.com>
      Cc: Stable Kernel <stable@kernel.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      e950598d
  8. 02 8月, 2010 1 次提交
  9. 22 5月, 2010 1 次提交
  10. 17 5月, 2010 1 次提交
  11. 07 5月, 2010 1 次提交
  12. 05 5月, 2010 1 次提交
  13. 23 4月, 2010 1 次提交
  14. 21 4月, 2010 8 次提交
  15. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  16. 10 3月, 2010 1 次提交
  17. 25 2月, 2010 1 次提交
  18. 07 2月, 2010 4 次提交