Commit 1429b3eca23818f87f9fa569a15d9816de81f698
1 parent
b65a9cfc2c
Exists in
master
and in
39 other branches
Untangling ima mess, part 3: kill dead code in ima
Kill the 'update' argument of ima_path_check(), kill dead code in ima. Current rules: ima counters are bumped at the same time when the file switches from put_filp() fodder to fput() one. Which happens exactly in two places - alloc_file() and __dentry_open(). Nothing else needs to do that at all. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Showing 4 changed files with 9 additions and 62 deletions Side-by-side Diff
fs/namei.c
| ... | ... | @@ -1686,7 +1686,7 @@ |
| 1686 | 1686 | path_put(&nd.root); |
| 1687 | 1687 | if (!IS_ERR(filp)) { |
| 1688 | 1688 | error = ima_path_check(&filp->f_path, filp->f_mode & |
| 1689 | - (MAY_READ | MAY_WRITE | MAY_EXEC), 0); | |
| 1689 | + (MAY_READ | MAY_WRITE | MAY_EXEC)); | |
| 1690 | 1690 | if (error) { |
| 1691 | 1691 | fput(filp); |
| 1692 | 1692 | filp = ERR_PTR(error); |
| ... | ... | @@ -1747,7 +1747,7 @@ |
| 1747 | 1747 | filp = nameidata_to_filp(&nd, open_flag); |
| 1748 | 1748 | if (!IS_ERR(filp)) { |
| 1749 | 1749 | error = ima_path_check(&filp->f_path, filp->f_mode & |
| 1750 | - (MAY_READ | MAY_WRITE | MAY_EXEC), 0); | |
| 1750 | + (MAY_READ | MAY_WRITE | MAY_EXEC)); | |
| 1751 | 1751 | if (error) { |
| 1752 | 1752 | fput(filp); |
| 1753 | 1753 | filp = ERR_PTR(error); |
fs/nfsd/vfs.c
| ... | ... | @@ -2122,8 +2122,7 @@ |
| 2122 | 2122 | */ |
| 2123 | 2123 | path.mnt = exp->ex_path.mnt; |
| 2124 | 2124 | path.dentry = dentry; |
| 2125 | - err = ima_path_check(&path, acc & (MAY_READ | MAY_WRITE | MAY_EXEC), | |
| 2126 | - IMA_COUNT_LEAVE); | |
| 2125 | + err = ima_path_check(&path, acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); | |
| 2127 | 2126 | nfsd_out: |
| 2128 | 2127 | return err? nfserrno(err) : 0; |
| 2129 | 2128 | } |
include/linux/ima.h
| ... | ... | @@ -13,18 +13,14 @@ |
| 13 | 13 | #include <linux/fs.h> |
| 14 | 14 | struct linux_binprm; |
| 15 | 15 | |
| 16 | -#define IMA_COUNT_UPDATE 1 | |
| 17 | -#define IMA_COUNT_LEAVE 0 | |
| 18 | - | |
| 19 | 16 | #ifdef CONFIG_IMA |
| 20 | 17 | extern int ima_bprm_check(struct linux_binprm *bprm); |
| 21 | 18 | extern int ima_inode_alloc(struct inode *inode); |
| 22 | 19 | extern void ima_inode_free(struct inode *inode); |
| 23 | -extern int ima_path_check(struct path *path, int mask, int update_counts); | |
| 20 | +extern int ima_path_check(struct path *path, int mask); | |
| 24 | 21 | extern void ima_file_free(struct file *file); |
| 25 | 22 | extern int ima_file_mmap(struct file *file, unsigned long prot); |
| 26 | 23 | extern void ima_counts_get(struct file *file); |
| 27 | -extern void ima_counts_put(struct path *path, int mask); | |
| 28 | 24 | |
| 29 | 25 | #else |
| 30 | 26 | static inline int ima_bprm_check(struct linux_binprm *bprm) |
| ... | ... | @@ -42,7 +38,7 @@ |
| 42 | 38 | return; |
| 43 | 39 | } |
| 44 | 40 | |
| 45 | -static inline int ima_path_check(struct path *path, int mask, int update_counts) | |
| 41 | +static inline int ima_path_check(struct path *path, int mask) | |
| 46 | 42 | { |
| 47 | 43 | return 0; |
| 48 | 44 | } |
| ... | ... | @@ -62,10 +58,6 @@ |
| 62 | 58 | return; |
| 63 | 59 | } |
| 64 | 60 | |
| 65 | -static inline void ima_counts_put(struct path *path, int mask) | |
| 66 | -{ | |
| 67 | - return; | |
| 68 | -} | |
| 69 | 61 | #endif /* CONFIG_IMA_H */ |
| 70 | 62 | #endif /* _LINUX_IMA_H */ |
security/integrity/ima/ima_main.c
| ... | ... | @@ -50,19 +50,12 @@ |
| 50 | 50 | } |
| 51 | 51 | |
| 52 | 52 | /* |
| 53 | - * Update the counts given open flags instead of fmode | |
| 54 | - */ | |
| 55 | -static void ima_inc_counts_flags(struct ima_iint_cache *iint, int flags) | |
| 56 | -{ | |
| 57 | - ima_inc_counts(iint, (__force fmode_t)((flags+1) & O_ACCMODE)); | |
| 58 | -} | |
| 59 | - | |
| 60 | -/* | |
| 61 | 53 | * Decrement ima counts |
| 62 | 54 | */ |
| 63 | 55 | static void ima_dec_counts(struct ima_iint_cache *iint, struct inode *inode, |
| 64 | - fmode_t mode) | |
| 56 | + struct file *file) | |
| 65 | 57 | { |
| 58 | + mode_t mode = file->f_mode; | |
| 66 | 59 | BUG_ON(!mutex_is_locked(&iint->mutex)); |
| 67 | 60 | |
| 68 | 61 | iint->opencount--; |
| ... | ... | @@ -92,12 +85,6 @@ |
| 92 | 85 | } |
| 93 | 86 | } |
| 94 | 87 | |
| 95 | -static void ima_dec_counts_flags(struct ima_iint_cache *iint, | |
| 96 | - struct inode *inode, int flags) | |
| 97 | -{ | |
| 98 | - ima_dec_counts(iint, inode, (__force fmode_t)((flags+1) & O_ACCMODE)); | |
| 99 | -} | |
| 100 | - | |
| 101 | 88 | /** |
| 102 | 89 | * ima_file_free - called on __fput() |
| 103 | 90 | * @file: pointer to file structure being freed |
| ... | ... | @@ -117,7 +104,7 @@ |
| 117 | 104 | return; |
| 118 | 105 | |
| 119 | 106 | mutex_lock(&iint->mutex); |
| 120 | - ima_dec_counts(iint, inode, file->f_mode); | |
| 107 | + ima_dec_counts(iint, inode, file); | |
| 121 | 108 | mutex_unlock(&iint->mutex); |
| 122 | 109 | kref_put(&iint->refcount, iint_free); |
| 123 | 110 | } |
| ... | ... | @@ -183,7 +170,7 @@ |
| 183 | 170 | * Always return 0 and audit dentry_open failures. |
| 184 | 171 | * (Return code will be based upon measurement appraisal.) |
| 185 | 172 | */ |
| 186 | -int ima_path_check(struct path *path, int mask, int update_counts) | |
| 173 | +int ima_path_check(struct path *path, int mask) | |
| 187 | 174 | { |
| 188 | 175 | struct inode *inode = path->dentry->d_inode; |
| 189 | 176 | struct ima_iint_cache *iint; |
| ... | ... | @@ -197,8 +184,6 @@ |
| 197 | 184 | return 0; |
| 198 | 185 | |
| 199 | 186 | mutex_lock(&iint->mutex); |
| 200 | - if (update_counts) | |
| 201 | - ima_inc_counts_flags(iint, mask); | |
| 202 | 187 | |
| 203 | 188 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); |
| 204 | 189 | if (rc < 0) |
| ... | ... | @@ -266,35 +251,6 @@ |
| 266 | 251 | mutex_unlock(&iint->mutex); |
| 267 | 252 | kref_put(&iint->refcount, iint_free); |
| 268 | 253 | return rc; |
| 269 | -} | |
| 270 | - | |
| 271 | -/* | |
| 272 | - * ima_counts_put - decrement file counts | |
| 273 | - * | |
| 274 | - * File counts are incremented in ima_path_check. On file open | |
| 275 | - * error, such as ETXTBSY, decrement the counts to prevent | |
| 276 | - * unnecessary imbalance messages. | |
| 277 | - */ | |
| 278 | -void ima_counts_put(struct path *path, int mask) | |
| 279 | -{ | |
| 280 | - struct inode *inode = path->dentry->d_inode; | |
| 281 | - struct ima_iint_cache *iint; | |
| 282 | - | |
| 283 | - /* The inode may already have been freed, freeing the iint | |
| 284 | - * with it. Verify the inode is not NULL before dereferencing | |
| 285 | - * it. | |
| 286 | - */ | |
| 287 | - if (!ima_initialized || !inode || !S_ISREG(inode->i_mode)) | |
| 288 | - return; | |
| 289 | - iint = ima_iint_find_get(inode); | |
| 290 | - if (!iint) | |
| 291 | - return; | |
| 292 | - | |
| 293 | - mutex_lock(&iint->mutex); | |
| 294 | - ima_dec_counts_flags(iint, inode, mask); | |
| 295 | - mutex_unlock(&iint->mutex); | |
| 296 | - | |
| 297 | - kref_put(&iint->refcount, iint_free); | |
| 298 | 254 | } |
| 299 | 255 | |
| 300 | 256 | /* |