Commit 94e5d714f604d4cb4cb13163f01ede278e69258b
Committed by
James Morris
1 parent
79b854c549
Exists in
master
and in
39 other branches
integrity: add ima_counts_put (updated)
This patch fixes an imbalance message as reported by J.R. Okajima. The IMA file counters are incremented in ima_path_check. If the actual open fails, such as ETXTBSY, decrement the counters to prevent unnecessary imbalance messages. Reported-by: J.R. Okajima <hooanon05@yahoo.co.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Showing 3 changed files with 41 additions and 1 deletions Side-by-side Diff
fs/namei.c
... | ... | @@ -1761,6 +1761,10 @@ |
1761 | 1761 | goto exit; |
1762 | 1762 | } |
1763 | 1763 | filp = nameidata_to_filp(&nd, open_flag); |
1764 | + if (IS_ERR(filp)) | |
1765 | + ima_counts_put(&nd.path, | |
1766 | + acc_mode & (MAY_READ | MAY_WRITE | | |
1767 | + MAY_EXEC)); | |
1764 | 1768 | mnt_drop_write(nd.path.mnt); |
1765 | 1769 | if (nd.root.mnt) |
1766 | 1770 | path_put(&nd.root); |
... | ... | @@ -1817,6 +1821,9 @@ |
1817 | 1821 | goto exit; |
1818 | 1822 | } |
1819 | 1823 | filp = nameidata_to_filp(&nd, open_flag); |
1824 | + if (IS_ERR(filp)) | |
1825 | + ima_counts_put(&nd.path, | |
1826 | + acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC)); | |
1820 | 1827 | /* |
1821 | 1828 | * It is now safe to drop the mnt write |
1822 | 1829 | * because the filp has had a write taken |
include/linux/ima.h
... | ... | @@ -24,6 +24,7 @@ |
24 | 24 | extern void ima_file_free(struct file *file); |
25 | 25 | extern int ima_file_mmap(struct file *file, unsigned long prot); |
26 | 26 | extern void ima_counts_get(struct file *file); |
27 | +extern void ima_counts_put(struct path *path, int mask); | |
27 | 28 | |
28 | 29 | #else |
29 | 30 | static inline int ima_bprm_check(struct linux_binprm *bprm) |
... | ... | @@ -57,6 +58,11 @@ |
57 | 58 | } |
58 | 59 | |
59 | 60 | static inline void ima_counts_get(struct file *file) |
61 | +{ | |
62 | + return; | |
63 | +} | |
64 | + | |
65 | +static inline void ima_counts_put(struct path *path, int mask) | |
60 | 66 | { |
61 | 67 | return; |
62 | 68 | } |
security/integrity/ima/ima_main.c
... | ... | @@ -238,7 +238,34 @@ |
238 | 238 | } |
239 | 239 | |
240 | 240 | /* |
241 | - * ima_opens_get - increment file counts | |
241 | + * ima_counts_put - decrement file counts | |
242 | + * | |
243 | + * File counts are incremented in ima_path_check. On file open | |
244 | + * error, such as ETXTBSY, decrement the counts to prevent | |
245 | + * unnecessary imbalance messages. | |
246 | + */ | |
247 | +void ima_counts_put(struct path *path, int mask) | |
248 | +{ | |
249 | + struct inode *inode = path->dentry->d_inode; | |
250 | + struct ima_iint_cache *iint; | |
251 | + | |
252 | + if (!ima_initialized || !S_ISREG(inode->i_mode)) | |
253 | + return; | |
254 | + iint = ima_iint_find_insert_get(inode); | |
255 | + if (!iint) | |
256 | + return; | |
257 | + | |
258 | + mutex_lock(&iint->mutex); | |
259 | + iint->opencount--; | |
260 | + if ((mask & MAY_WRITE) || (mask == 0)) | |
261 | + iint->writecount--; | |
262 | + else if (mask & (MAY_READ | MAY_EXEC)) | |
263 | + iint->readcount--; | |
264 | + mutex_unlock(&iint->mutex); | |
265 | +} | |
266 | + | |
267 | +/* | |
268 | + * ima_counts_get - increment file counts | |
242 | 269 | * |
243 | 270 | * - for IPC shm and shmat file. |
244 | 271 | * - for nfsd exported files. |