summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2011-02-22 16:19:43 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2011-02-23 22:38:52 +0100
commit1adace9bb04a5f4a4dea9e642089102661bb0ceb (patch)
tree2396099935c50d838899a01da1438b8a441619de /security/integrity
parentIMA: remove IMA imbalance checking (diff)
downloadlinux-1adace9bb04a5f4a4dea9e642089102661bb0ceb.tar.xz
linux-1adace9bb04a5f4a4dea9e642089102661bb0ceb.zip
ima: remove unnecessary call to ima_must_measure
The original ima_must_measure() function based its results on cached iint information, which required an iint be allocated for all files. Currently, an iint is allocated only for files in policy. As a result, for those files in policy, ima_must_measure() is now called twice: once to determine if the inode is in the measurement policy and, the second time, to determine if it needs to be measured/re-measured. The second call to ima_must_measure() unnecessarily checks to see if the file is in policy. As we already know the file is in policy, this patch removes the second unnecessary call to ima_must_measure(), removes the vestige iint parameter, and just checks the iint directly to determine if the inode has been measured or needs to be measured/re-measured. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima.h3
-rw-r--r--security/integrity/ima/ima_api.c13
-rw-r--r--security/integrity/ima/ima_main.c6
3 files changed, 7 insertions, 15 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index ac79032bdf23..08408bd71462 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -110,8 +110,7 @@ struct ima_iint_cache {
};
/* LIM API function definitions */
-int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode,
- int mask, int function);
+int ima_must_measure(struct inode *inode, int mask, int function);
int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file);
void ima_store_measurement(struct ima_iint_cache *iint, struct file *file,
const unsigned char *filename);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d3963de6003d..da36d2c085a4 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -105,20 +105,13 @@ err_out:
* mask: contains the permission mask
* fsmagic: hex value
*
- * Must be called with iint->mutex held.
- *
- * Return 0 to measure. Return 1 if already measured.
- * For matching a DONT_MEASURE policy, no policy, or other
- * error, return an error code.
+ * Return 0 to measure. For matching a DONT_MEASURE policy, no policy,
+ * or other error, return an error code.
*/
-int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode,
- int mask, int function)
+int ima_must_measure(struct inode *inode, int mask, int function)
{
int must_measure;
- if (iint && iint->flags & IMA_MEASURED)
- return 1;
-
must_measure = ima_match_policy(inode, function, mask);
return must_measure ? 0 : -EACCES;
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2df902151193..39d66dc2b8e9 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -65,7 +65,7 @@ static void ima_rdwr_violation_check(struct file *file)
goto out;
}
- rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);
+ rc = ima_must_measure(inode, MAY_READ, FILE_CHECK);
if (rc < 0)
goto out;
@@ -127,7 +127,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
if (!ima_initialized || !S_ISREG(inode->i_mode))
return 0;
- rc = ima_must_measure(NULL, inode, mask, function);
+ rc = ima_must_measure(inode, mask, function);
if (rc != 0)
return rc;
retry:
@@ -141,7 +141,7 @@ retry:
mutex_lock(&iint->mutex);
- rc = ima_must_measure(iint, inode, mask, function);
+ rc = iint->flags & IMA_MEASURED ? 1 : 0;
if (rc != 0)
goto out;