diff options
| -rw-r--r-- | fs/namei.c | 4 | ||||
| -rw-r--r-- | fs/nfsd/vfs.c | 3 | ||||
| -rw-r--r-- | include/linux/ima.h | 12 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 52 |
4 files changed, 9 insertions, 62 deletions
diff --git a/fs/namei.c b/fs/namei.c index c530e5d32f1..a765e7a741f 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1686,7 +1686,7 @@ do_last: path_put(&nd.root); if (!IS_ERR(filp)) { error = ima_path_check(&filp->f_path, filp->f_mode & - (MAY_READ | MAY_WRITE | MAY_EXEC), 0); + (MAY_READ | MAY_WRITE | MAY_EXEC)); if (error) { fput(filp); filp = ERR_PTR(error); @@ -1747,7 +1747,7 @@ ok: filp = nameidata_to_filp(&nd, open_flag); if (!IS_ERR(filp)) { error = ima_path_check(&filp->f_path, filp->f_mode & - (MAY_READ | MAY_WRITE | MAY_EXEC), 0); + (MAY_READ | MAY_WRITE | MAY_EXEC)); if (error) { fput(filp); filp = ERR_PTR(error); diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index c9942b39654..936f08400db 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -2122,8 +2122,7 @@ nfsd_permission(struct svc_rqst *rqstp, struct svc_export *exp, */ path.mnt = exp->ex_path.mnt; path.dentry = dentry; - err = ima_path_check(&path, acc & (MAY_READ | MAY_WRITE | MAY_EXEC), - IMA_COUNT_LEAVE); + err = ima_path_check(&path, acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); nfsd_out: return err? nfserrno(err) : 0; } diff --git a/include/linux/ima.h b/include/linux/ima.h index 0e3f2a4c25f..99dc6d5cf7e 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -13,18 +13,14 @@ #include <linux/fs.h> struct linux_binprm; -#define IMA_COUNT_UPDATE 1 -#define IMA_COUNT_LEAVE 0 - #ifdef CONFIG_IMA extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_inode_alloc(struct inode *inode); extern void ima_inode_free(struct inode *inode); -extern int ima_path_check(struct path *path, int mask, int update_counts); +extern int ima_path_check(struct path *path, int mask); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); extern void ima_counts_get(struct file *file); -extern void ima_counts_put(struct path *path, int mask); #else static inline int ima_bprm_check(struct linux_binprm *bprm) @@ -42,7 +38,7 @@ static inline void ima_inode_free(struct inode *inode) return; } -static inline int ima_path_check(struct path *path, int mask, int update_counts) +static inline int ima_path_check(struct path *path, int mask) { return 0; } @@ -62,9 +58,5 @@ static inline void ima_counts_get(struct file *file) return; } -static inline void ima_counts_put(struct path *path, int mask) -{ - return; -} #endif /* CONFIG_IMA_H */ #endif /* _LINUX_IMA_H */ diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e041233b4d2..16dc57d247d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -50,19 +50,12 @@ static void ima_inc_counts(struct ima_iint_cache *iint, fmode_t mode) } /* - * Update the counts given open flags instead of fmode - */ -static void ima_inc_counts_flags(struct ima_iint_cache *iint, int flags) -{ - ima_inc_counts(iint, (__force fmode_t)((flags+1) & O_ACCMODE)); -} - -/* * Decrement ima counts */ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, - fmode_t mode) + struct file *file) { + mode_t mode = file->f_mode; BUG_ON(!mutex_is_locked(&iint->mutex)); iint->opencount--; @@ -92,12 +85,6 @@ static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, } } -static void ima_dec_counts_flags(struct ima_iint_cache *iint, - struct inode *inode, int flags) -{ - ima_dec_counts(iint, inode, (__force fmode_t)((flags+1) & O_ACCMODE)); -} - /** * ima_file_free - called on __fput() * @file: pointer to file structure being freed @@ -117,7 +104,7 @@ void ima_file_free(struct file *file) return; mutex_lock(&iint->mutex); - ima_dec_counts(iint, inode, file->f_mode); + ima_dec_counts(iint, inode, file); mutex_unlock(&iint->mutex); kref_put(&iint->refcount, iint_free); } @@ -183,7 +170,7 @@ static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, * Always return 0 and audit dentry_open failures. * (Return code will be based upon measurement appraisal.) */ -int ima_path_check(struct path *path, int mask, int update_counts) +int ima_path_check(struct path *path, int mask) { struct inode *inode = path->dentry->d_inode; struct ima_iint_cache *iint; @@ -197,8 +184,6 @@ int ima_path_check(struct path *path, int mask, int update_counts) return 0; mutex_lock(&iint->mutex); - if (update_counts) - ima_inc_counts_flags(iint, mask); rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); if (rc < 0) @@ -269,35 +254,6 @@ out: } /* - * ima_counts_put - decrement file counts - * - * File counts are incremented in ima_path_check. On file open - * error, such as ETXTBSY, decrement the counts to prevent - * unnecessary imbalance messages. - */ -void ima_counts_put(struct path *path, int mask) -{ - struct inode *inode = path->dentry->d_inode; - struct ima_iint_cache *iint; - - /* The inode may already have been freed, freeing the iint - * with it. Verify the inode is not NULL before dereferencing - * it. - */ - if (!ima_initialized || !inode || !S_ISREG(inode->i_mode)) - return; - iint = ima_iint_find_get(inode); - if (!iint) - return; - - mutex_lock(&iint->mutex); - ima_dec_counts_flags(iint, inode, mask); - mutex_unlock(&iint->mutex); - - kref_put(&iint->refcount, iint_free); -} - -/* * ima_counts_get - increment file counts * * - for IPC shm and shmat file. |