Commit 94e5d714f604d4cb4cb13163f01ede278e69258b

Authored by Mimi Zohar
Committed by James Morris
1 parent 79b854c549

integrity: add ima_counts_put (updated)

This patch fixes an imbalance message as reported by J.R. Okajima.
The IMA file counters are incremented in ima_path_check. If the
actual open fails, such as ETXTBSY, decrement the counters to
prevent unnecessary imbalance messages.

Reported-by: J.R. Okajima <hooanon05@yahoo.co.jp>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 3 changed files with 41 additions and 1 deletions Side-by-side Diff

... ... @@ -1761,6 +1761,10 @@
1761 1761 goto exit;
1762 1762 }
1763 1763 filp = nameidata_to_filp(&nd, open_flag);
  1764 + if (IS_ERR(filp))
  1765 + ima_counts_put(&nd.path,
  1766 + acc_mode & (MAY_READ | MAY_WRITE |
  1767 + MAY_EXEC));
1764 1768 mnt_drop_write(nd.path.mnt);
1765 1769 if (nd.root.mnt)
1766 1770 path_put(&nd.root);
... ... @@ -1817,6 +1821,9 @@
1817 1821 goto exit;
1818 1822 }
1819 1823 filp = nameidata_to_filp(&nd, open_flag);
  1824 + if (IS_ERR(filp))
  1825 + ima_counts_put(&nd.path,
  1826 + acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
1820 1827 /*
1821 1828 * It is now safe to drop the mnt write
1822 1829 * because the filp has had a write taken
... ... @@ -24,6 +24,7 @@
24 24 extern void ima_file_free(struct file *file);
25 25 extern int ima_file_mmap(struct file *file, unsigned long prot);
26 26 extern void ima_counts_get(struct file *file);
  27 +extern void ima_counts_put(struct path *path, int mask);
27 28  
28 29 #else
29 30 static inline int ima_bprm_check(struct linux_binprm *bprm)
... ... @@ -57,6 +58,11 @@
57 58 }
58 59  
59 60 static inline void ima_counts_get(struct file *file)
  61 +{
  62 + return;
  63 +}
  64 +
  65 +static inline void ima_counts_put(struct path *path, int mask)
60 66 {
61 67 return;
62 68 }
security/integrity/ima/ima_main.c
... ... @@ -238,7 +238,34 @@
238 238 }
239 239  
240 240 /*
241   - * ima_opens_get - increment file counts
  241 + * ima_counts_put - decrement file counts
  242 + *
  243 + * File counts are incremented in ima_path_check. On file open
  244 + * error, such as ETXTBSY, decrement the counts to prevent
  245 + * unnecessary imbalance messages.
  246 + */
  247 +void ima_counts_put(struct path *path, int mask)
  248 +{
  249 + struct inode *inode = path->dentry->d_inode;
  250 + struct ima_iint_cache *iint;
  251 +
  252 + if (!ima_initialized || !S_ISREG(inode->i_mode))
  253 + return;
  254 + iint = ima_iint_find_insert_get(inode);
  255 + if (!iint)
  256 + return;
  257 +
  258 + mutex_lock(&iint->mutex);
  259 + iint->opencount--;
  260 + if ((mask & MAY_WRITE) || (mask == 0))
  261 + iint->writecount--;
  262 + else if (mask & (MAY_READ | MAY_EXEC))
  263 + iint->readcount--;
  264 + mutex_unlock(&iint->mutex);
  265 +}
  266 +
  267 +/*
  268 + * ima_counts_get - increment file counts
242 269 *
243 270 * - for IPC shm and shmat file.
244 271 * - for nfsd exported files.