linux/security/integrity/ima/ima_iint.c, branch v5.11-rc3

integrity: move ima inode integrity data management

2011-07-18T16:29:38Z

Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn

IMA: remove IMA imbalance checking

2011-02-10T12:51:44Z

Now that i_readcount is maintained by the VFS layer, remove the imbalance checking in IMA. Cleans up the IMA code nicely. Signed-off-by: Mimi Zohar Acked-by: Eric Paris

IMA: maintain i_readcount in the VFS layer

2011-02-10T12:51:44Z

ima_counts_get() updated the readcount and invalidated the PCR, as necessary. Only update the i_readcount in the VFS layer. Move the PCR invalidation checks to ima_file_check(), where it belongs. Maintaining the i_readcount in the VFS layer, will allow other subsystems to use i_readcount. Signed-off-by: Mimi Zohar Acked-by: Eric Paris

IMA: convert i_readcount to atomic

2011-02-10T12:51:43Z

Convert the inode's i_readcount from an unsigned int to atomic. Signed-off-by: Mimi Zohar Acked-by: Eric Paris

IMA: explicit IMA i_flag to remove global lock on inode_delete

2010-10-26T18:37:19Z

Currently for every removed inode IMA must take a global lock and search the IMA rbtree looking for an associated integrity structure. Instead we explicitly mark an inode when we add an integrity structure so we only have to take the global lock and do the removal if it exists. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

IMA: drop refcnt from ima_iint_cache since it isn't needed

2010-10-26T18:37:19Z

Since finding a struct ima_iint_cache requires a valid struct inode, and the struct ima_iint_cache is supposed to have the same lifetime as a struct inode (technically they die together but don't need to be created at the same time) we don't have to worry about the ima_iint_cache outliving or dieing before the inode. So the refcnt isn't useful. Just get rid of it and free the structure when the inode is freed. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

IMA: move read counter into struct inode

2010-10-26T18:37:18Z

IMA currently allocated an inode integrity structure for every inode in core. This stucture is about 120 bytes long. Most files however (especially on a system which doesn't make use of IMA) will never need any of this space. The problem is that if IMA is enabled we need to know information about the number of readers and the number of writers for every inode on the box. At the moment we collect that information in the per inode iint structure and waste the rest of the space. This patch moves those counters into the struct inode so we can eventually stop allocating an IMA integrity structure except when absolutely needed. This patch does the minimum needed to move the location of the data. Further cleanups, especially the location of counter updates, may still be possible. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

IMA: use i_writecount rather than a private counter

2010-10-26T18:37:18Z

IMA tracks the number of struct files which are holding a given inode readonly and the number which are holding the inode write or r/w. It needs this information so when a new reader or writer comes in it can tell if this new file will be able to invalidate results it already made about existing files. aka if a task is holding a struct file open RO, IMA measured the file and recorded those measurements and then a task opens the file RW IMA needs to note in the logs that the old measurement may not be correct. It's called a "Time of Measure Time of Use" (ToMToU) issue. The same is true is a RO file is opened to an inode which has an open writer. We cannot, with any validity, measure the file in question since it could be changing. This patch attempts to use the i_writecount field to track writers. The i_writecount field actually embeds more information in it's value than IMA needs but it should work for our purposes and allow us to shrink the struct inode even more. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

IMA: use unsigned int instead of long for counters

2010-10-26T18:37:18Z

Currently IMA uses 2 longs in struct inode. To save space (and as it seems impossible to overflow 32 bits) we switch these to unsigned int. The switch to unsigned does require slightly different checks for underflow, but it isn't complex. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

IMA: drop the inode opencount since it isn't needed for operation

2010-10-26T18:37:17Z

The opencount was used to help debugging to make sure that everything which created a struct file also correctly made the IMA calls. Since we moved all of that into the VFS this isn't as necessary. We should be able to get the same amount of debugging out of just the reader and write count. Signed-off-by: Eric Paris Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds