ima: Add the violation counter to the namespace

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- The violations are now tracked per namespace. Signed-off-by: N Krzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ima: Add the violation counter to the namespace
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I49KW1 CVE: NA -------------------------------- The violations are now tracked per namespace. Signed-off-by: N Krzysztof Struczynski <krzysztof.struczynski@huawei.com> Reviewed-by: N Zhang Tianxing <zhangtianxing3@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
5622ee15 · Krzysztof Struczynski · Zheng Zengkai · 441a760d · 5622ee15 · 5622ee15
7 changed file
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -234,6 +234,7 @@ struct ima_namespace {
 	struct integrity_iint_tree *iint_tree;
 	struct list_head ns_measurements;
 	atomic_long_t ml_len; /* number of stored measurements in the list */
+	atomic_long_t violations;
 } __randomize_layout;
 extern struct ima_namespace init_ima_ns;

--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -191,7 +191,6 @@ extern spinlock_t ima_htable_lock;
 struct ima_h_table {
 	atomic_long_t len;      /* number of stored measurements in the list */
-	atomic_long_t violations;
 	struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
 };
 extern struct ima_h_table ima_htable;

--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -171,7 +171,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 	event_data.ns_id = get_ns_id(ima_ns);
 	/* can overflow, only indicator */
-	atomic_long_inc(&ima_htable.violations);
+	atomic_long_inc(&ima_ns->violations);
 	result = ima_alloc_init_template(&event_data, &entry, NULL);
 	if (result < 0) {

--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -61,7 +61,7 @@ static ssize_t ima_show_htable_value(struct file *filp, char __user *buf,
 	struct ima_namespace *ima_ns = get_current_ns();
 	if (filp->f_path.dentry == violations)
-		val = &ima_htable.violations;
+		val = &ima_ns->violations;
 	else if (filp->f_path.dentry == runtime_measurements_count)
 		val = (ima_ns == &init_ima_ns) ? &ima_ml_len : &ima_ns->ml_len;
 #ifdef CONFIG_IMA_DIGEST_LIST
@@ -646,7 +646,7 @@ int __init ima_fs_init(void)
 		goto out;
 	violations =
-	    securityfs_create_file("violations", S_IRUSR | S_IRGRP,
+	    securityfs_create_file("violations", S_IRUSR | S_IRGRP | S_IROTH,
 				   ima_dir, NULL, &ima_htable_value_ops);
 	if (IS_ERR(violations))
 		goto out;

--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -37,6 +37,7 @@ struct ima_namespace init_ima_ns = {
 	.iint_tree = &init_iint_tree,
 	.ns_measurements = LIST_HEAD_INIT(init_ima_ns.ns_measurements),
 	.ml_len = ATOMIC_LONG_INIT(0),
+	.violations = ATOMIC_LONG_INIT(0),
 };
 EXPORT_SYMBOL(init_ima_ns);

--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -128,6 +128,7 @@ static struct ima_namespace *clone_ima_ns(struct user_namespace *user_ns,
 	ns->ucounts = ucounts;
 	ns->frozen = false;
 	atomic_long_set(&ns->ml_len, 0);
+	atomic_long_set(&ns->violations, 0);
 	rwlock_init(&ns->iint_tree->lock);
 	ns->iint_tree->root = RB_ROOT;

--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -38,7 +38,6 @@ DEFINE_SPINLOCK(ima_htable_lock);
 /* key: inode (before secure-hashing a file) */
 struct ima_h_table ima_htable = {
 	.len = ATOMIC_LONG_INIT(0),
-	.violations = ATOMIC_LONG_INIT(0),
 	.queue[0 ... IMA_MEASURE_HTABLE_SIZE - 1] = HLIST_HEAD_INIT
 };